You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

ModelScan Bypass PoC β€” importlib + operator.methodcaller

⚠️ SECURITY RESEARCH ONLY β€” This is a proof-of-concept for responsible disclosure.

This repository demonstrates a bypass of ProtectAI's ModelScan (v0.7.6) pickle scanner.

Vulnerability

The pytorch_model.bin file contains a crafted pickle payload that:

  1. Uses importlib.import_module (NOT in ModelScan's blocklist) to import os
  2. Uses operator.methodcaller (NOT in ModelScan's blocklist) to call os.system()
  3. Achieves arbitrary code execution while ModelScan reports "No issues found"

Reproduction

# 1. Scan with modelscan β€” reports clean
pip install modelscan
modelscan scan -p pytorch_model.bin
# Output: No issues found! πŸŽ‰

# 2. Load with pickle β€” executes code
python3 -c "import pickle; pickle.loads(open('pytorch_model.bin','rb').read())"
# Creates /tmp/modelscan_poc_proof

Impact

A malicious model file using this technique would pass HuggingFace's safety scan and execute arbitrary code when loaded by any user via torch.load() or pickle.loads().

Reported via Huntr MFV Program

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support