Many ML model files— .nemo, .keras, .gguf, even trusty .pth— are just zip/tar archives in disguise. Feed one to a loader that blindly calls extractall()and pow, you’ve opened the door to an archive-slip (Zip Slip, TarSlip) directory-traversal bug.
Although huntr’s scanner now grabs the easy catches—the classic ../../etc/passwd or stray symlink—a smart variation on the same primitive can still score a bounty.
So why talk about archive slip at all? Because it’s still the easiest first hop toward higher-value goals—like load-time ACEs. Below we recap two real MFVs that relied on TarSlip and then show where today’s payouts really are. 🔎
When code unpacks an archive without validating each member’s final write path, attackers can:
Path-traverse with ../ sequences or absolute paths.
Abuse symlinks so an innocent-looking folder entry actually points outside the sandbox.
Model formats—.nemo, .keras, .pth, even many .onnx bundles—are just tar/zip files under a fancy extension. One-liner APIs (model.from_pretrained()) hide the extraction step, so sloppy extraction slips in unnoticed.
(Framework names redacted; focus on the pattern.)
Any loader that does a raw extractall() will drop /tmp/hacked on disk.
Even loaders that strip ../ often forget to block symlink entries.
Write-anywhere is a perfect pivot to overwrite config files or plant second-stage payloads.
DIY loaders are everywhere in research repos; they use extractall() or extract() behind the scenes.
Supply-chain impact: one poisoned model hub entry can compromise countless CI pipelines.
High Value |
Medium → Low |
|
✔ |
✔ |
|
✔ Code execution at load time via header/metadata abuse |
✔ Zip/TarSlip traversal |
|
✔ Backdoors or output manipulation |
✔ Bugs that fire only after extra imports |
|
✔ Tricks that evade our scanners (nested, encrypted, obfuscated) |
✔ DoS via oversized tensors |
Current reward tiers are posted on the bounties page; bigger impact + high-value format = bigger payout.
Archive-slip by itself is basically dead for bounty purposes—but it’s still the quickest way to get a write-anywhere primitive. Chain that primitive into load-time code execution, model-file backdoors & output tampering, or scanner evasion, and you’re solidly in high-value MFV territory.
Focus on extraction and deserialization paths, especially in high-value formats like .safetensors, .gguf, .keras, and .joblib. Show us something the scanner can’t see, and the bounty is yours.
Think you’ve got one? Submit your MFV—and happy hunting! 🤘