Hugging Face's logo

manja316
/
modelscan-bypass-npz

numpy
modelscan-bypass
security-research
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

ModelscanBypass NPZ Format

Security research demonstrating that modelscan v0.7.6/v0.8.8 does not scan .npz (NumPy compressed) files.

Vulnerability

modelscan's scan_numpy() function explicitly skips .npz files with the message "Scanning of .npz files is not implemented yet" (modelscan/tools/picklescanner.py line 221).

.npz files are ZIP archives containing .npy files. NumPy .npy files with dtype=object use pickle internally. When loaded with np.load(allow_pickle=True), the pickle payload executes.

Impact

A malicious .npz file can contain arbitrary code execution payloads that modelscan will never detect.

Steps to Reproduce 

import numpy as np

# Load the model - triggers RCE
data = np.load("model.npz", allow_pickle=True)
arr = data['config']  # executes payload

modelscan Result 

No issues found.
0 issues, 0 errors

For Authorized Security Research Only

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support