Hugging Face's logo

manja316
/
modelscan-bypass-codetype

PyTorch
security-research
modelscan-bypass
Model card Files
xet
 Community
modelscan-bypass-codetype / README.md
manja316's picture
manja316
Upload README.md with huggingface_hub
3f070c8 verified
preview code
|
raw
history blame contribute delete
1.09 kB
metadata 
tags:
  - pytorch
  - security-research
  - modelscan-bypass

Modelscan Bypass PoC — types.CodeType + types.FunctionType

Technique

Constructs arbitrary executable Python bytecode using types.CodeType and wraps it in types.FunctionType. Neither types.CodeType nor types.FunctionType are in modelscan's blocklist.

The bytecode uses CPython's IMPORT_NAME opcode which doesn't require __builtins__ in the function globals, allowing the function to be created with an empty globals dict {}.

Impact

Full arbitrary code execution. This technique can embed ANY Python bytecode, making the entire unsafe_globals blocklist approach ineffective. The dangerous operations (os.system, subprocess, etc.) happen at the bytecode level, not at the pickle opcode level where modelscan checks.

Modelscan Result 

0 issues found
0 errors found

Reproduction 

import pickle
result = pickle.loads(open("pytorch_model.bin", "rb").read())
# Or via torch.load("pytorch_model.bin")

Affected Version

modelscan 0.7.6 (latest as of 2026-04-06)