---
license: cc-by-4.0
tags:
  - security
  - poc
  - modelscan
---

# ModelScan v0.8.8 additional unsafe_globals primitives

Proof-of-concept files demonstrating that ModelScan's `unsafe_globals` allowlist omits four additional code-execution primitives beyond those already disclosed in issues #338, #331, and PR #339 on `protectai/modelscan`:

- `operator.methodcaller`
- `functools.partial`
- `atexit.register`
- `threading.Thread`

The bypass affects every extension `PickleUnsafeOpScan` is dispatched to via `FormatViaExtensionMiddleware`: `.pkl`, `.pickle`, `.joblib`, `.dill`, `.dat`, `.data`. A `.joblib` variant (`R2_A1-09_threading.joblib`) is included as concrete demonstration that the `.joblib` extension routes to the same scanner and yields the same `total_issues: 0` result.

**These files are intentionally malicious for demonstration purposes.** Do not load any of them on a system you care about.

See the huntr submission for the detailed Description.

## Reproduction

```bash
python -m venv venv
# Windows: . venv/Scripts/activate
# POSIX:   . venv/bin/activate
pip install modelscan==0.8.8
git clone https://huggingface.co/askeladd-k/modelscan-additional-primitives poc
cd poc
python repro.py
```

### Expected output

```
R2_A1-02_methodcaller.pkl:    total_issues=0 [BYPASSED (gap)]
R2_A1-05_partial.pkl:         total_issues=0 [BYPASSED (gap)]
R2_A1-07_atexit.pkl:          total_issues=0 [BYPASSED (gap)]
R2_A1-09_threading.pkl:       total_issues=0 [BYPASSED (gap)]
R2_A1-09_threading.joblib:    total_issues=0 [BYPASSED (gap, .joblib variant)]
positive_control.pkl:         total_issues=1 [FLAGGED (positive control)]
```

## AI disclosure

These proof-of-concept files were generated with AI-assisted analysis and manually verified in a clean environment against vanilla `pip install modelscan==0.8.8`.