You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Modelscan Bypass: typing.get_type_hints() Annotation Evaluation RCE

Summary

A pickle file can achieve arbitrary code execution while passing modelscan with 0 issues detected.

Technique

The bypass chains two unblocked modules:

builtins.type — creates a class with malicious __annotations__
typing.get_type_hints — evaluates annotation strings via internal eval() call

Why it bypasses modelscan:

builtins.type: The builtins blocklist only covers eval, compile, getattr, apply, exec, open, breakpoint, __import__. type is NOT in this list.
builtins.object: Same — object not in blocklist.
typing.get_type_hints: The typing module is NOT in unsafe_globals at all.

How it achieves RCE:

typing.get_type_hints() internally calls eval() on forward reference annotation strings. By setting __annotations__ to contain Python code (e.g., __import__('os').system('...')), the eval executes arbitrary code.

The annotation [__import__('os').system('cmd'), int][-1] both executes the command AND returns int (a valid type), so get_type_hints() completes without error.

Impact

Severity: Critical — Full RCE
Affected: modelscan 0.7.6 (latest)
File formats: .pkl, .pickle, .bin, .pt, .pth, .ckpt, .joblib, .dill, .dat, .data

Reproduction

import pickle
# Load exploit.pkl — triggers RCE
pickle.loads(open('exploit.pkl', 'rb').read())

Modelscan result

total_issues: 0

Fix

Add to unsafe_globals:

typing: ["get_type_hints"] (or "*")
builtins: add "type" to the existing list

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support