--- library_name: pytorch tags: - security-research - modelscan-bypass license: mit --- # ModelScan Bypass PoC — codeop.compile_command **Security research for responsible disclosure via Huntr MFV program.** ## Vulnerability `codeop.compile_command` is not in modelscan's `unsafe_globals` blocklist. When a pickle file containing this global is scanned by modelscan, it reports "No issues found." However, loading the file with `pickle.loads()` / `torch.load()` triggers compiles arbitrary Python code string to code object. Combined with types.FunctionType, achieves full RCE.. ## Impact - **Severity**: HIGH - **Effect**: compiles arbitrary Python code string to code object. Combined with types.FunctionType, achieves full RCE. ## Bypass Class `builtins.compile` is blocked but `codeop.compile_command` (which wraps compile()) is not. The returned code object can be wrapped in `types.FunctionType(code, {})` to create and execute an arbitrary function. ## Reproduction ```bash pip install modelscan modelscan scan -p bypass_poc.pkl # Output: "No issues found!" ```