The Art of Hide and Seek: Making Pickle-Based Model Supply Chain Poisoning Stealthy Again

TL;DR

This paper systematically uncovers the extensive and stealthy surface of pickle-based model poisoning in AI/ML frameworks, exposing critical gaps in current detection methods and demonstrating practical bypass techniques.

Contribution

It provides the first comprehensive analysis of pickle-based model poisoning surfaces, introduces new bypass techniques, and reveals significant limitations in existing scanners.

Findings

22 model loading paths identified, 19 missed by scanners

Developed Exception-Oriented Programming bypass, 7 of 9 bypass all scanners

133 exploitable gadgets found, 89% bypass rate against top scanners

Abstract

Pickle deserialization vulnerabilities have persisted throughout Python's history, remaining widely recognized yet unresolved. Due to its ability to transparently save and restore complex objects into byte streams, many AI/ML frameworks continue to adopt pickle as the model serialization protocol despite its inherent risks. As the open-source model ecosystem grows, model-sharing platforms such as Hugging Face have attracted massive participation, significantly amplifying the real-world risks of pickle exploitation and opening new avenues for model supply chain poisoning. Although several state-of-the-art scanners have been developed to detect poisoned models, their incomplete understanding of the poisoning surface leaves the detection logic fragile and allows attackers to bypass them. In this work, we present the first systematic disclosure of the pickle-based model poisoning surface from both model loading and risky function perspectives. Our research demonstrates how pickle-based model poisoning can remain stealthy and highlights critical gaps in current scanning solutions. On the model loading surface, we identify 22 distinct pickle-based model loading paths across five foundational AI/ML frameworks, 19 of which are entirely missed by existing scanners. We further develop a bypass technique named Exception-Oriented Programming (EOP) and discover 9 EOP instances, 7 of which can bypass all scanners. On the risky function surface, we discover 133 exploitable gadgets, achieving almost a 100% bypass rate. Even against the best-performing scanner, these gadgets maintain an 89% bypass rate. By systematically revealing the pickle-based model poisoning surface, we achieve practical and robust bypasses against real-world scanners. We responsibly disclose our findings to corresponding vendors, receiving acknowledgments and a $6000 bug bounty.