You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Modelscan Bypass PoC — types.CodeType + types.FunctionType

Technique

Constructs arbitrary executable Python bytecode using types.CodeType and wraps it in types.FunctionType. Neither types.CodeType nor types.FunctionType are in modelscan's blocklist.

The bytecode uses CPython's IMPORT_NAME opcode which doesn't require __builtins__ in the function globals, allowing the function to be created with an empty globals dict {}.

Impact

Full arbitrary code execution. This technique can embed ANY Python bytecode, making the entire unsafe_globals blocklist approach ineffective. The dangerous operations (os.system, subprocess, etc.) happen at the bytecode level, not at the pickle opcode level where modelscan checks.

Modelscan Result

0 issues found
0 errors found

Reproduction

import pickle
result = pickle.loads(open("pytorch_model.bin", "rb").read())
# Or via torch.load("pytorch_model.bin")

Affected Version

modelscan 0.7.6 (latest as of 2026-04-06)

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support