Pivoting Archive Slip Bugs into High-Value AI/ML Bounties

May 15, 2025 By Madison Vorbrich
Pivoting Slip Bugs

Many ML model files— .nemo, .keras, .gguf, even trusty .pth— are just zip/tar archives in disguise. Feed one to a loader that blindly calls extractall()and pow, you’ve opened the door to an archive-slip (Zip Slip, TarSlip) directory-traversal bug.

Although huntr’s scanner now grabs the easy catches—the classic ../../etc/passwd or stray symlink—a smart variation on the same primitive can still score a bounty.

So why talk about archive slip at all? Because it’s still the easiest first hop toward higher-value goals—like load-time ACEs. Below we recap two real MFVs that relied on TarSlip and then show where today’s payouts really are. 🔎

The Vulnerability Explained

When code unpacks an archive without validating each member’s final write path, attackers can:

  1. Path-traverse with ../ sequences or absolute paths.

  2. Abuse symlinks so an innocent-looking folder entry actually points outside the sandbox.

Model formats—.nemo, .keras, .pth, even many .onnx bundles—are just tar/zip files under a fancy extension. One-liner APIs (model.from_pretrained()) hide the extraction step, so sloppy extraction slips in unnoticed.

Two Classic PoCs

(Framework names redacted; focus on the pattern.)

Path-Traversal Demo

 

Any loader that does a raw extractall() will drop /tmp/hacked on disk.

Symlink Demo (beats naive path filters)

 

Even loaders that strip ../ often forget to block symlink entries.

Why Archive Slip Still Matters

  • Write-anywhere is a perfect pivot to overwrite config files or plant second-stage payloads.

  • DIY loaders are everywhere in research repos; they use extractall() or extract() behind the scenes.

  • Supply-chain impact: one poisoned model hub entry can compromise countless CI pipelines.

Where the Bounty Money Really Is

High Value

Medium → Low

.safetensors, .gguf, .keras, .joblib

.pkl, fringe formats

✔ Code execution at load time via header/metadata abuse

✔ Zip/TarSlip traversal

Backdoors or output manipulation 

✔ Bugs that fire only after extra imports

✔ Tricks that evade our scanners (nested, encrypted, obfuscated)

✔ DoS via oversized tensors

Current reward tiers are posted on the bounties page; bigger impact + high-value format = bigger payout.

Wrapping Up

Archive-slip by itself is basically dead for bounty purposes—but it’s still the quickest way to get a write-anywhere primitive. Chain that primitive into load-time code execution, model-file backdoors & output tampering, or scanner evasion, and you’re solidly in high-value MFV territory.

Focus on extraction and deserialization paths, especially in high-value formats like .safetensors, .gguf, .keras, and .joblib. Show us something the scanner can’t see, and the bounty is yours.

Think you’ve got one? Submit your MFV—and happy hunting! 🤘
Madison Vorbrich

Madison Vorbrich