metadata
license: mit
tags:
- security-research
- modelscan-bypass
modelscan-bypass-importlib-subprocess
Security Research — Modelscan Bypass PoC
Severity: CRITICAL
Module: importlib + operator.methodcaller → subprocess
Description: Full RCE via importlib.import_module("subprocess") + operator.methodcaller("getoutput", cmd)
Impact: Command execution via subprocess.getoutput(). Bypasses subprocess.* blocklist entry via importlib indirection.
Modelscan Result
$ modelscan scan -p pytorch_model.bin
No issues found! ✅ (FALSE NEGATIVE)
Tested against: modelscan 0.8.8 (latest)
How It Works
The pickle file uses importlib + operator.methodcaller → subprocess which is NOT in modelscan's unsafe_globals blocklist.
When loaded via torch.load() or pickle.loads(), it executes the payload.
Responsible Disclosure
This PoC is part of responsible security research submitted via Huntr MFV program to help ProtectAI improve modelscan's detection capabilities.