metadata
license: mit
tags:
- security-research
- modelscan-bypass
Modelscan Bypass: pkgutil.resolve_name → Universal RCE
⚠️ SECURITY RESEARCH ONLY — DO NOT LOAD UNTRUSTED MODELS
Vulnerability
pkgutil.resolve_name() can resolve ANY Python callable at runtime. This makes the ENTIRE modelscan blocklist irrelevant — a single function call can reach os.system, subprocess.call, or any other blocked callable.
Impact
- CVSS: 10.0 — Universal blocklist bypass
- Type: RCE — Arbitrary command execution
- Modelscan result: "No issues found" on both .pkl and .bin formats
Chain
pkgutil.resolve_name("os.system") → <built-in function system>
os.system("command") → RCE
Affected
- modelscan (all versions through 0.8.7)
- Any scanner using module-name blocklists
Responsible Disclosure
This repo uses gated access. Findings reported to ProtectAI via Huntr.