README.md

---
license: mit
tags:
  - security-research
  - modelscan-bypass
  - pickle-safety
---

# modelscan-bypass-fileinput

## Modelscan Bypass PoC — fileinput.input

**Severity**: MEDIUM
**Impact**: Arbitrary file read — fileinput.input(files) reads any file accessible to the process
**modelscan version**: 0.7.6 (latest on PyPI)
**Result**: "No issues found!" ✅ (false negative)

### Chain
`fileinput.input(["/etc/passwd"])` → reads sensitive files

### Why It Works
`fileinput.input` is NOT in modelscan's `unsafe_globals` blocklist.
`fileinput` is NOT in the blocklist.

### Reproduction
```bash
pip install modelscan
modelscan scan -p bypass_poc.pkl
# Output: "No issues found!"
python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())"
# Executes arbitrary code
```

### Responsible Disclosure
This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program.