metadata
license: mit
Modelscan Bypass PoC — plistlib.loads() macOS Plist Deserialization
Vulnerability
Modelscan 0.7.6 fails to detect malicious pickle files that use plistlib.loads for macOS config access — can deserialize plist data. Combined with file read primitives, can access macOS system preferences, app configs, and keychain-adjacent files.
The plistlib module is not in modelscan's unsafe_globals blocklist.
Chain
plistlib.loads(data)— not blocked\n2. Deserializes macOS property list data\n3. Combined with io.open, can read system plist configs
Reproduction
modelscan scan -p pytorch_model.bin
# Result: "No issues found"
python3 -c "import pickle; result = pickle.loads(open('pytorch_model.bin','rb').read()); print(result)"
# Result: Deserializes plist XML data
Impact
macOS config access — can deserialize plist data. Combined with file read primitives, can access macOS system preferences, app configs, and keychain-adjacent files. Severity: MEDIUM.
Modelscan Version
0.7.6 (latest on PyPI as of 2026-04-09)