You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

ModelScan Bypass PoC: pydoc.pipepager

Summary

This model file demonstrates a bypass of ProtectAI's modelscan scanner (v0.7.6). The file passes modelscan with "No issues found" but executes arbitrary shell commands when loaded via pickle.loads() or torch.load().

Technique

Module: pydoc
Function: pydoc.pipepager(text, cmd)
Mechanism: pydoc.pipepager internally calls subprocess.Popen(cmd, shell=True), enabling arbitrary command execution
Why it bypasses: The pydoc module is not in modelscan's unsafe_globals blocklist

Verification

# Step 1: Scan with modelscan — reports 0 issues
modelscan scan -p pytorch_model.bin

# Step 2: Load with pickle — executes shell command
python3 -c "
import pickle, zipfile
with zipfile.ZipFile('pytorch_model.bin') as zf:
    pickle.loads(zf.read('archive/data.pkl'))
"

Impact

Full remote code execution (RCE) on any system that loads this model file using pickle-based deserialization.

Disclosure

Reported via Huntr MFV program (ProtectAI).

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support