You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Modelscan Bypass PoC — marshal.loads + types.FunctionType

Vulnerability

ProtectAI's modelscan (v0.7.6) fails to detect malicious pickle payloads that use marshal.loads() to reconstruct arbitrary Python bytecode, combined with types.FunctionType to create an executable function.

Technique

marshal.loads(marshalled_bytes) reconstructs a code object from marshalled bytecode
types.FunctionType(code_obj, {}) wraps it in a callable function
operator.methodcaller('__call__')(func) executes it

None of marshal, types.FunctionType, or operator.methodcaller appear in modelscan's unsafe_globals blocklist.

Impact

Full arbitrary code execution. The marshalled bytecode can contain any Python code including import os; os.system(cmd).

Modelscan Result

modelscan scan -p pytorch_model.bin
--- Summary ---
 No issues found!

Verification

import torch
model = torch.load("pytorch_model.bin")
# RCE executes on load

Root Cause

marshal and types modules are not in modelscan's unsafe_globals blocklist (modelscan/settings.py). This is a variant of the types.CodeType bypass but uses marshal for code object serialization instead of manual CodeType construction.

Affected Version

modelscan 0.7.6 (latest as of April 2026)

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support