PoC: pickle scanner bypass (picklescan + modelscan) โ€” pathlib.Path.write_bytes + sqlite3 load_extension

Security-research artifact for a huntr Model File Vulnerability disclosure. malicious.pkl is a self-contained pickle that both picklescan 1.0.4 and modelscan 0.8.8 report as CLEAN yet executes native code on pickle.load: pathlib.Path.write_bytes writes an embedded SQLite extension to /tmp, then sqlite3 load_extension loads it. The payload is BENIGN โ€” it only writes a marker file (/tmp/oneshot_marker) to demonstrate code execution. Do not load untrusted pickles.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support