README.md

---
license: mit
tags:
- security-research
- modelscan-bypass
---

# modelscan-bypass-importlib-subprocess

## Security Research — Modelscan Bypass PoC

**Severity**: CRITICAL

**Module**: `importlib + operator.methodcaller → subprocess`

**Description**: Full RCE via importlib.import_module("subprocess") + operator.methodcaller("getoutput", cmd)

**Impact**: Command execution via subprocess.getoutput(). Bypasses subprocess.* blocklist entry via importlib indirection.

## Modelscan Result

```
$ modelscan scan -p pytorch_model.bin
No issues found! ✅ (FALSE NEGATIVE)
```

**Tested against**: modelscan 0.8.8 (latest)

## How It Works

The pickle file uses `importlib + operator.methodcaller → subprocess` which is NOT in modelscan's unsafe_globals blocklist.
When loaded via `torch.load()` or `pickle.loads()`, it executes the payload.

## Responsible Disclosure

This PoC is part of responsible security research submitted via Huntr MFV program
to help ProtectAI improve modelscan's detection capabilities.