Hugging Face's logo

manja316
/
modelscan-bypass-methodcaller

PyTorch
security-research
proof-of-concept
Model card Files
xet
 Community
modelscan-bypass-methodcaller / README.md
manja316's picture
manja316
Upload README.md with huggingface_hub
02b0b0d verified
preview code
|
raw
history blame contribute delete
1.16 kB
metadata 
license: mit
tags:
  - security-research
  - proof-of-concept

ModelScan Bypass PoC: operator.methodcaller + importlib.import_module

⚠️ SECURITY RESEARCH ONLY — This repository contains a proof-of-concept for a modelscan scanner bypass.

Vulnerability

modelscan v0.8.8 fails to detect malicious pickle payloads that use:

  • importlib.import_module() to dynamically load blocked modules
  • operator.methodcaller() to invoke methods on imported modules

Both references pass the scanner's blocklist check, resulting in 0 issues reported while the payload achieves arbitrary command execution.

Files

  • create_poc.py — Script to generate the malicious model files
  • pytorch_model.bin — PyTorch-format PoC (passes modelscan, executes with torch.load)

Reproduction 

# Install modelscan
pip install modelscan

# Scan the model file — reports "No issues found"
modelscan scan -p pytorch_model.bin

# Load with torch — executes arbitrary command
python3 -c "import torch; torch.load('pytorch_model.bin', weights_only=False)"

Disclosure

Submitted to ProtectAI via Huntr responsible disclosure program.