| --- |
| license: mit |
| tags: |
| - security-research |
| --- |
| |
| # ModelScan Bypass PoC: types.CodeType + types.FunctionType |
|
|
| Security research demonstrating a scanner bypass in ProtectAI's modelscan. |
|
|
| **DO NOT load these files in production environments.** |
|
|
| ## Vulnerability |
| Pickle files using `types.CodeType` and `types.FunctionType` to construct arbitrary |
| executable functions pass modelscan with zero issues. The malicious payload is embedded |
| inside bytecode constants, invisible to the scanner's GLOBAL opcode inspection. |
|
|
| ## Files |
| - `types_bypass.pkl` — Pickle format PoC (executes `echo TYPES_CODETYPE_BYPASS_RCE`) |
| - `types_bypass.joblib` — Joblib format PoC (same payload) |
|
|
| ## Responsible Disclosure |
| Submitted via Huntr (ProtectAI's bug bounty program). |
|
|
