ModelScan Bypass PoC β importlib + operator.methodcaller
β οΈ SECURITY RESEARCH ONLY β This is a proof-of-concept for responsible disclosure.
This repository demonstrates a bypass of ProtectAI's ModelScan (v0.7.6) pickle scanner.
Vulnerability
The pytorch_model.bin file contains a crafted pickle payload that:
- Uses
importlib.import_module(NOT in ModelScan's blocklist) to importos - Uses
operator.methodcaller(NOT in ModelScan's blocklist) to callos.system() - Achieves arbitrary code execution while ModelScan reports "No issues found"
Reproduction
# 1. Scan with modelscan β reports clean
pip install modelscan
modelscan scan -p pytorch_model.bin
# Output: No issues found! π
# 2. Load with pickle β executes code
python3 -c "import pickle; pickle.loads(open('pytorch_model.bin','rb').read())"
# Creates /tmp/modelscan_poc_proof
Impact
A malicious model file using this technique would pass HuggingFace's safety scan
and execute arbitrary code when loaded by any user via torch.load() or pickle.loads().
Reported via Huntr MFV Program
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support