Hugging Face's logo

manja316
/
modelscan-bypass-typing-forwardref

PyTorch
security-research
modelscan-bypass
Model card Files
xet
 Community
modelscan-bypass-typing-forwardref / README.md
manja316's picture
manja316
Upload folder using huggingface_hub
b4cd33c verified
preview code
|
raw
history blame contribute delete
545 Bytes
---
library_name: pytorch
tags:
 - security-research
 - modelscan-bypass
license: mit
---
# ModelScan Bypass PoC — typing.ForwardRef
Security research for responsible disclosure via Huntr MFV program.
## Vulnerability
`typing.ForwardRef` not in modelscan blocklist. Reports "No issues found" but triggers creates ForwardRef storing eval()-able string. When resolved (e.g. by get_type_hints), executes arbitrary code..
## Impact: HIGH
## Reproduction
```bash
pip install modelscan && modelscan scan -p bypass_poc.pkl
# "No issues found!"
```