Hugging Face's logo

manja316
/
modelscan-bypass-posixsubprocess

PyTorch
security-research
modelscan-bypass
Model card Files
xet
 Community
modelscan-bypass-posixsubprocess / README.md
manja316's picture
manja316
Upload folder using huggingface_hub
953701d verified
preview code
|
raw
history blame contribute delete
1.18 kB
metadata 
library_name: pytorch
tags:
  - security-research
  - modelscan-bypass
license: mit

ModelScan Bypass PoC — _posixsubprocess.fork_exec

Security research for responsible disclosure via Huntr MFV program.

Vulnerability

_posixsubprocess.fork_exec is not in modelscan's unsafe_globals blocklist. When a pickle file containing this global is scanned by modelscan, it reports "No issues found." However, loading the file with pickle.loads() / torch.load() triggers DIRECT fork() + exec() syscall — spawns arbitrary process. subprocess module is blocked but its C implementation _posixsubprocess is NOT..

Impact

  • Severity: CRITICAL
  • Effect: DIRECT fork() + exec() syscall — spawns arbitrary process. subprocess module is blocked but its C implementation _posixsubprocess is NOT.

Bypass Class

subprocess is blocked with * wildcard, but _posixsubprocess (the C extension that subprocess uses internally) is not in the blocklist. This function directly calls fork() and execvp() — full arbitrary command execution.

Reproduction 

pip install modelscan
modelscan scan -p bypass_poc.pkl
# Output: "No issues found!"