| tags: | |
| - pytorch | |
| - security-research | |
| - modelscan-bypass | |
| # Modelscan Bypass PoC — types.CodeType + types.FunctionType | |
| ## Technique | |
| Constructs arbitrary executable Python bytecode using `types.CodeType` and wraps it in `types.FunctionType`. | |
| Neither `types.CodeType` nor `types.FunctionType` are in modelscan's blocklist. | |
| The bytecode uses CPython's `IMPORT_NAME` opcode which doesn't require `__builtins__` in the function globals, | |
| allowing the function to be created with an empty globals dict `{}`. | |
| ## Impact | |
| **Full arbitrary code execution.** This technique can embed ANY Python bytecode, making the entire | |
| `unsafe_globals` blocklist approach ineffective. The dangerous operations (`os.system`, `subprocess`, etc.) | |
| happen at the bytecode level, not at the pickle opcode level where modelscan checks. | |
| ## Modelscan Result | |
| ``` | |
| 0 issues found | |
| 0 errors found | |
| ``` | |
| ## Reproduction | |
| ```python | |
| import pickle | |
| result = pickle.loads(open("pytorch_model.bin", "rb").read()) | |
| # Or via torch.load("pytorch_model.bin") | |
| ``` | |
| ## Affected Version | |
| modelscan 0.7.6 (latest as of 2026-04-06) | |