You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Marshal + Types FunctionType Modelscan Bypass PoC

Summary

This repository demonstrates a bypass of ProtectAI's modelscan v0.7.6 (latest) using marshal.loads() and types.FunctionType — neither of which are in modelscan's unsafe_globals blocklist.

Technique

Compile arbitrary Python code into a code object
Serialize the code object with marshal.dumps()
In pickle bytecode, reconstruct via: types.FunctionType(marshal.loads(marshaled_bytes), {})()
modelscan sees marshal.loads and types.FunctionType — neither flagged
On pickle.loads() or torch.load(), arbitrary code executes

Modules Used (NOT in blocklist)

marshal — deserializes code objects from bytes
types — FunctionType wraps code objects into callable functions

Impact

Bypass: modelscan v0.7.6 reports "No issues found"
Execution: Full RCE on model load via pickle.loads() or torch.load()
Affected formats: .pkl, .pickle, .bin, .pt, .pth, .ckpt (any pickle-based format)

Files

pytorch_model.bin — PyTorch model file containing the bypass payload
exploit.pkl — Raw pickle file with the same payload

Reproduction

# Scan with modelscan
modelscan scan -p pytorch_model.bin
# Output: "No issues found"

# Load to trigger RCE
python3 -c "import torch; torch.load('pytorch_model.bin', weights_only=False)"
# Or: python3 -c "import pickle; pickle.loads(open('exploit.pkl','rb').read())"

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support