ModelScan NPZ extensionless member scanner bypass PoC
This repository is a security research artifact for a huntr Model File Vulnerability report.
Do not load these files outside an isolated test environment.
Files
no_extension_payload_member.npz
reproduce.py
requirements.txt
Summary
no_extension_payload_member.npz is a NumPy .npz archive containing an NPY-format object array member named payload without a .npy suffix.
ModelScan expands .npz archives and routes archive members to scanners by member filename extension. The extensionless payload member is skipped and the archive reports zero issues. NumPy can still load the same member with np.load(..., allow_pickle=True)["payload"], which unpickles the object array.
The payload is harmless and writes this local marker file:
npz_no_ext_marker.txt
with this text:
NPZ_NO_EXT_EXECUTED
Why this matters
The same NPY object-array payload is detected by ModelScan when the archive member is named payload.npy. Removing the member suffix changes scanner visibility but not NumPy loader behavior.
This demonstrates a scanner/loader semantic gap for an archive-based model-file format.
Reproduction
Use an isolated Python environment.
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python reproduce.py
Expected result:
ModelScan single-file scan:
total_issues: 0
total_scanned: 0
Loader:
npz_no_ext_marker.txt created: True
marker text: NPZ_NO_EXT_EXECUTED
Intended disclosure context
This artifact is intended to demonstrate a model-file scanner/loader semantic gap for the huntr Model File Vulnerabilities program.