README.md

---
license: mit
tags:
- security-research
- modelscan-bypass
---

# modelscan-bypass-importlib-shutil

## Security Research — Modelscan Bypass PoC

**Severity**: HIGH

**Module**: `importlib + operator.methodcaller → shutil`

**Description**: File operations via importlib.import_module("shutil") + methodcaller

**Impact**: Bypasses shutil.* blocklist. Can copy/move/delete files. shutil.rmtree for recursive deletion.

## Modelscan Result

```
$ modelscan scan -p pytorch_model.bin
No issues found! ✅ (FALSE NEGATIVE)
```

**Tested against**: modelscan 0.8.8 (latest)

## How It Works

The pickle file uses `importlib + operator.methodcaller → shutil` which is NOT in modelscan's unsafe_globals blocklist.
When loaded via `torch.load()` or `pickle.loads()`, it executes the payload.

## Responsible Disclosure

This PoC is part of responsible security research submitted via Huntr MFV program
to help ProtectAI improve modelscan's detection capabilities.