You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Modelscan EOP Bypass PoC — STACK_GLOBAL Offset 0 Scanner Crash

Vulnerability

picklescanner.py:87 uses range(1, n) to scan backward from STACK_GLOBAL opcode, which skips index 0. Placing a callable's module argument at position 0 causes the scanner to find only 1 argument instead of 2, raising ValueError.

This ValueError propagates to modelscan.py:175 where a broad except Exception handler converts it to a scanner error (not an issue).

Result: modelscan reports "No issues found!" while the pickle contains os.system (a CRITICAL blocklisted callable) and executes arbitrary commands.

Impact

This bypasses the entire unsafe_globals blocklist. Any callable (os.system, subprocess.Popen, etc.) can be used because the scanner crashes before checking the blocklist.

Reproduction

modelscan scan -p eop_bypass_poc.pkl
# Output: "No issues found! 🎉"

python3 -c "import pickle; pickle.loads(open('eop_bypass_poc.pkl','rb').read())"
# Output: PWNED_BY_MODELSCAN_EOP_BYPASS

Root Cause

# picklescanner.py:86-87
elif op_name == "STACK_GLOBAL":
    values: List[str] = []
    for offset in range(1, n):  # BUG: should be range(1, n+1) to include pos 0

Fix

Change range(1, n) to range(1, n+1) in picklescanner.py:87.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support