---
tags:
- security-research
- proof-of-concept
license: mit
---

# modelscan Bypass PoC: _bootsubprocess.Popen RCE

**Security research only. Do not use maliciously.**

This model file demonstrates a bypass of protectai/modelscan v0.7.6.

## Vulnerability
modelscan blocks `subprocess` but does NOT block `_bootsubprocess`, a CPython internal module that provides the same `Popen` functionality.

## Verification
```bash
# Scan - reports no issues
modelscan scan -p model.pkl

# But executes arbitrary commands on load
python3 -c "import pickle; pickle.load(open('model.pkl','rb'))"
```