YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Pickle .pkl RCE PoC - importlib.import_module + operator.methodcaller ModelScan Bypass
Vulnerability
Malicious .pkl file achieves Remote Code Execution using importlib.import_module + operator.methodcaller, bypassing ModelScan's unsafe_globals blocklist.
ModelScan Bypass
ModelScan's PickleUnsafeOpScan extracts GLOBAL/STACK_GLOBAL opcodes and checks against unsafe_globals. This payload only uses:
importlib.import_module(NOT in blocklist)operator.methodcaller(NOT in blocklist - onlyoperator.attrgetteris blocked)
Reproduction
import pickle
with open("model.pkl", "rb") as f:
model = pickle.load(f) # RCE occurs here
Check /tmp/pickle_rce_proof for execution evidence.
Impact
Arbitrary command execution when a user loads a malicious .pkl model file.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support