| --- |
| tags: |
| - security-research |
| - proof-of-concept |
| license: mit |
| --- |
| |
| # modelscan Bypass PoC: _bootsubprocess.Popen RCE |
| |
| **Security research only. Do not use maliciously.** |
| |
| This model file demonstrates a bypass of protectai/modelscan v0.7.6. |
| |
| ## Vulnerability |
| modelscan blocks `subprocess` but does NOT block `_bootsubprocess`, a CPython internal module that provides the same `Popen` functionality. |
|
|
| ## Verification |
| ```bash |
| # Scan - reports no issues |
| modelscan scan -p model.pkl |
| |
| # But executes arbitrary commands on load |
| python3 -c "import pickle; pickle.load(open('model.pkl','rb'))" |
| ``` |
|
|
