| license: mit | |
| # Modelscan Bypass PoC β trace.Trace().run() | |
| ## Vulnerability | |
| Modelscan 0.7.6 fails to detect malicious pickle files that use `trace.Trace().run()` for arbitrary code execution. | |
| The `trace` module is not in modelscan's `unsafe_globals` blocklist. `trace.Trace().run(stmt)` internally calls `exec(compile(stmt))`, enabling full RCE. | |
| ## Chain | |
| 1. `operator.methodcaller('run', '<malicious_code>')` β not blocked (only `attrgetter` is blocked) | |
| 2. `trace.Trace()` β not blocked | |
| 3. `methodcaller(trace_instance)` β calls `trace_instance.run(stmt)` β `exec(compile(stmt))` | |
| ## Reproduction | |
| ```bash | |
| modelscan scan -p pytorch_model.bin | |
| # Result: "No issues found" | |
| python3 -c "import pickle; pickle.loads(open('pytorch_model.bin','rb').read())" | |
| # Result: Arbitrary code execution | |
| ``` | |
| ## Impact | |
| Full RCE on any system that loads this model file via `torch.load()` or `pickle.loads()`. | |
| ## Modelscan Version | |
| 0.7.6 (latest as of 2026-04-05) | |