YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ModelScan Bypass β€” Arbitrary Code Execution in PyTorch .pt via cProfile.run gadget

Proof-of-concept for a Huntr Model File Format report.

model.pt runs code on torch.load(..., weights_only=False) while ModelScan reports it clean. The malicious __reduce__ uses cProfile.run β€” a code-executing stdlib callable that is not on ModelScan's PickleUnsafeOpScan denylist β€” and hides the command in a string argument the scanner never inspects.

Files

  • model.pt β€” the PoC model file (benign payload: writes pytorch_poc_executed.txt)
  • exploit.py β€” builds the model, scans it with ModelScan, loads it, prints the result
  • README.md β€” this file

Reproduce

pip install torch modelscan
# 1) scanner says it is safe:
modelscan -p model.pt                  # ->  No issues found! πŸŽ‰
# 2) loading with weights_only=False executes code:
python -c "import torch; torch.load('model.pt', weights_only=False)"
ls pytorch_poc_executed.txt            # marker proves code ran on load
# or run everything at once:
python exploit.py                      # -> No issues found (BYPASS) + CODE EXECUTED

Impact

ModelScan is used to gate untrusted models in MLOps pipelines / model registries. This file passes the scan as clean yet achieves arbitrary code execution on load β€” defeating the control. Verified on PyTorch 2.6 / modelscan 0.8.6.

The vulnerability affects torch.load(weights_only=False) β€” common in legacy code and when loading checkpoints. Modern PyTorch (2.6+) defaults to weights_only=True (safe), but many production systems haven't upgraded or explicitly use weights_only=False.

The payload here is benign (writes a marker file). Swap the command in exploit.py to confirm real command execution.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support