Hugging Face's logo

manja316
/
modelscan-bypass-codeop

PyTorch
security-research
modelscan-bypass
Model card Files
xet
 Community
modelscan-bypass-codeop / README.md
manja316's picture
manja316
Upload folder using huggingface_hub
d46afbd verified
preview code
|
raw
history blame contribute delete
1.08 kB
metadata 
library_name: pytorch
tags:
  - security-research
  - modelscan-bypass
license: mit

ModelScan Bypass PoC — codeop.compile_command

Security research for responsible disclosure via Huntr MFV program.

Vulnerability

codeop.compile_command is not in modelscan's unsafe_globals blocklist. When a pickle file containing this global is scanned by modelscan, it reports "No issues found." However, loading the file with pickle.loads() / torch.load() triggers compiles arbitrary Python code string to code object. Combined with types.FunctionType, achieves full RCE..

Impact

  • Severity: HIGH
  • Effect: compiles arbitrary Python code string to code object. Combined with types.FunctionType, achieves full RCE.

Bypass Class

builtins.compile is blocked but codeop.compile_command (which wraps compile()) is not. The returned code object can be wrapped in types.FunctionType(code, {}) to create and execute an arbitrary function.

Reproduction 

pip install modelscan
modelscan scan -p bypass_poc.pkl
# Output: "No issues found!"