Hugging Face's logo

Skyflocka
/
pickle-importlib-rce-poc

Model card Files
xet
 Community
pickle-importlib-rce-poc / README.md
Skyflocka's picture
Skyflocka
Upload README.md with huggingface_hub
3049c59 verified
preview code
|
raw
history blame contribute delete
812 Bytes

Pickle .pkl RCE PoC - importlib.import_module + operator.methodcaller ModelScan Bypass

Vulnerability

Malicious .pkl file achieves Remote Code Execution using importlib.import_module + operator.methodcaller, bypassing ModelScan's unsafe_globals blocklist.

ModelScan Bypass

ModelScan's PickleUnsafeOpScan extracts GLOBAL/STACK_GLOBAL opcodes and checks against unsafe_globals. This payload only uses:

  • importlib.import_module (NOT in blocklist)
  • operator.methodcaller (NOT in blocklist - only operator.attrgetter is blocked)

Reproduction 

import pickle
with open("model.pkl", "rb") as f:
    model = pickle.load(f)  # RCE occurs here

Check /tmp/pickle_rce_proof for execution evidence.

Impact

Arbitrary command execution when a user loads a malicious .pkl model file.