You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

modelscan Bypass: sqlite3 Database-Mediated File Write + Native Code RCE

Security Research — Responsible Disclosure

This repository contains proof-of-concept pickle files demonstrating that modelscan v0.8.8 fails to detect malicious payloads using sqlite3.connect() + operator.methodcaller().

Files

sqlite3_attach_bypass.pkl — Arbitrary file creation via ATTACH DATABASE (guaranteed to work)
sqlite3_rce_bypass.pkl — Native code execution via load_extension (requires extension-enabled Python)

Attack Category

Database-mediated arbitrary file write + native code RCE — novel bypass class.

Scanner Result

modelscan scan -p sqlite3_attach_bypass.pkl
No issues found! 🎉

Root Cause

sqlite3 module is completely absent from modelscan's unsafe_globals blocklist. operator.methodcaller is also not blocked (only attrgetter is listed).

Impact

Arbitrary file creation at any writable path
Attacker-controlled data injection into files
Native shared library loading (full RCE) via load_extension
Two-stage chain: combine with _io/pathlib bypass to write .so, then load via sqlite3

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support