Picklescan Scanner Bypass PoC — codecs.open LFI

⚠️ This is a security research PoC. Do NOT load untrusted model files.

Summary

This repository demonstrates a bypass in picklescan (v0.0.22), the scanner used by HuggingFace Hub to detect malicious pickle payloads in model files.

The file picklescan-bypass-poc.joblib contains a payload using codecs.open("/etc/passwd", "r") which:

Passes picklescan with 0 issues detected (classified as "suspicious" not "dangerous")
Successfully reads /etc/passwd when loaded via joblib.load()

Scan Result

Issues: 0
Infected: 0
Globals: [Global(module='codecs', name='open', safety=<SafetyLevel.Suspicious>)]

Affected Versions

picklescan ≤ 0.0.22

Root Cause

codecs.open is not in picklescan's _unsafe_globals blocklist. It is only classified as Suspicious, which does NOT increment issues_count or infected_files, and does NOT block model loading.

Responsible Disclosure

This vulnerability has been reported via Huntr.com's Model File Vulnerability Program.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support