Hugging Face's logo

manja316
/
modelscan-bypass-pipes-template

PyTorch
security-research
modelscan-bypass
Model card Files
xet
 Community

modelscan-bypass-pipes-template

Security research: demonstrates modelscan bypass via pipes.Template shell command execution.

Vulnerability

pipes.Template is not in modelscan's unsafe_globals blocklist. Combined with operator.methodcaller (also unblocked), this achieves arbitrary shell command execution that passes modelscan with "No issues found".

Chain

  1. pipes.Template() โ†’ template object
  2. template.append(CMD, "--") โ†’ mutates template with shell command
  3. template.open("/dev/null", "r") โ†’ EXECUTES the command pipeline

Affected

  • modelscan 0.7.6 (latest PyPI)
  • modelscan GitHub main

Remediation

Add "pipes": "*" to unsafe_globals in settings.py.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support