You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

ModelScan Pickle Blocklist Bypass PoCs

Proof-of-concept pickle files demonstrating multiple bypasses of ModelScan's unsafe_globals blocklist. All files pass modelscan -p <file> with "No issues found" while achieving dangerous capabilities (RCE, file access, network exfil).

Key Findings

File	Module	Impact	ModelScan
poc_ctypes_rce.pkl	ctypes.CDLL	Arbitrary command execution via libc.system()	CLEAN
poc_importlib_import.pkl	importlib.import_module	Imports any blocked module (defeats entire blocklist)	CLEAN
poc_io_file_read.pkl	_io.open	Arbitrary file read	CLEAN
poc_codecs_file_read.pkl	codecs.open	Arbitrary file read	CLEAN
poc_http_exfil.pkl	http.client.HTTPSConnection	Network data exfiltration	CLEAN
poc_urllib_exfil.pkl	urllib.request.urlopen	HTTP data exfiltration	CLEAN

Reproduce

pip install modelscan
modelscan -p pocs/poc_ctypes_rce.pkl     # "No issues found"
python3 -c "import pickle; r=pickle.loads(open('pocs/poc_ctypes_rce.pkl','rb').read()); r.system(b'id')"

Tested on ModelScan 0.8.7, Python 3.12, Ubuntu 24.04.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support