Hugging Face's logo

manja316
/
modelscan-bypass-eop

security-research
modelscan-bypass
Model card Files
xet
 Community
modelscan-bypass-eop / README.md
manja316's picture
manja316
Upload README.md with huggingface_hub
6f2bc71 verified
preview code
|
raw
history blame contribute delete
1.39 kB
metadata 
license: mit
tags:
  - security-research
  - modelscan-bypass

Modelscan EOP Bypass PoC — STACK_GLOBAL Offset 0 Scanner Crash

Vulnerability

picklescanner.py:87 uses range(1, n) to scan backward from STACK_GLOBAL opcode, which skips index 0. Placing a callable's module argument at position 0 causes the scanner to find only 1 argument instead of 2, raising ValueError.

This ValueError propagates to modelscan.py:175 where a broad except Exception handler converts it to a scanner error (not an issue).

Result: modelscan reports "No issues found!" while the pickle contains os.system (a CRITICAL blocklisted callable) and executes arbitrary commands.

Impact

This bypasses the entire unsafe_globals blocklist. Any callable (os.system, subprocess.Popen, etc.) can be used because the scanner crashes before checking the blocklist.

Reproduction 

modelscan scan -p eop_bypass_poc.pkl
# Output: "No issues found! 🎉"

python3 -c "import pickle; pickle.loads(open('eop_bypass_poc.pkl','rb').read())"
# Output: PWNED_BY_MODELSCAN_EOP_BYPASS

Root Cause 

# picklescanner.py:86-87
elif op_name == "STACK_GLOBAL":
    values: List[str] = []
    for offset in range(1, n):  # BUG: should be range(1, n+1) to include pos 0

Fix

Change range(1, n) to range(1, n+1) in picklescanner.py:87.