| library_name: pytorch | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| license: mit | |
| # ModelScan Bypass PoC — http.server.HTTPServer | |
| Security research for responsible disclosure via Huntr MFV program. | |
| ## Vulnerability | |
| `http.server.HTTPServer` is not in modelscan's `unsafe_globals` blocklist. | |
| modelscan reports "No issues found" but loading triggers starts an HTTP server on deserialization — serves ALL local files to the network. | |
| ## Impact: CRITICAL | |
| `http` is not in the blocklist (only `httplib` is). HTTPServer constructor binds to a port and `socket` is used internally but the constructor is via http.server, not socket directly. | |
| ## Reproduction | |
| ```bash | |
| pip install modelscan | |
| modelscan scan -p bypass_poc.pkl | |
| # Output: "No issues found!" | |
| ``` | |