Hugging Face's logo

optimus-fulcria
/
modelscan-pickle-bypass-poc

Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ModelScan Pickle Scanner Bypass PoC

Summary

ModelScan v0.8.8's PickleUnsafeOpScan can be bypassed to achieve arbitrary code execution while the scanner reports 0 issues.

Root Cause

The pickle scanner uses a blocklist (unsafe_globals in settings.py) to detect dangerous pickle operations. This blocklist has critical gaps:

  1. importlib - not listed at all, allows dynamic import of any module (including os, subprocess)
  2. operator.methodcaller - not blocked (only operator.attrgetter is blocked), allows calling any method on any object
  3. codecs.open - not blocked (alternative to builtins.open which IS blocked)
  4. io.open - not blocked (another alternative to builtins.open)
  5. http.client - not blocked (old name httplib IS blocked, but modern http.client is not)

RCE Bypass Chain 

importlib.import_module('os') -> <module 'os'>
operator.methodcaller('system', 'id') -> callable mc
mc(<module 'os'>) -> os.system('id') -> FULL RCE!

The scanner extracts globals ('importlib', 'import_module') and ('operator', 'methodcaller'), checks them against the blocklist, finds no match, and reports 0 issues.

Files

  • create_pickle_bypass.py - PoC creation script with 4 bypass techniques
  • rce_bypass.pkl - Full RCE bypass (importlib + operator.methodcaller)
  • file_access_bypass.pkl - File read bypass (codecs.open)
  • io_access_bypass.pkl - File I/O bypass (io.open)
  • network_bypass.pkl - Network access bypass (http.client)

Verification 

# Install ModelScan
pip install modelscan==0.8.8

# Scan the RCE payload - should show "No issues found!"
modelscan --path rce_bypass.pkl

# Load it to confirm RCE (runs 'id' command)
python3 -c "import pickle; pickle.loads(open('rce_bypass.pkl','rb').read())"

Affected Scanners

All pickle-based scanners share the same _list_globals() + unsafe_globals detection:

  • PickleUnsafeOpScan (.pkl, .pickle, .joblib, .dill, .dat, .data)
  • NumpyUnsafeOpScan (.npy with object dtype)
  • PyTorchUnsafeOpScan (.bin, .pt, .pth, .ckpt non-zip)

Impact

An attacker can craft a malicious pickle/numpy/pytorch model file that:

  1. Passes ModelScan security scanning with 0 issues
  2. Executes arbitrary commands when loaded by a victim
  3. Can read files, make network connections, or achieve full RCE

This is particularly dangerous because ModelScan is used by HuggingFace (as Protect AI Guardian) to scan uploaded model files.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support