ModelScan Bypass PoC - pip.main Deserialization
Security research PoC for responsible disclosure via huntr.com.
Files
- safe_demo.joblib: Calls pip.main(["--version"]) when loaded. Bypasses ModelScan.
- rce_proof.joblib: Calls pip.main(["install", ...]) when loaded. Bypasses ModelScan.
Vulnerability
ModelScan v0.8.8 does not include pip in its unsafe globals blacklist. A malicious .joblib file can call pip.main() to install arbitrary packages, which can execute arbitrary code via setup.py.
Reproduction
from modelscan.modelscan import ModelScan
scanner = ModelScan()
result = scanner.scan("safe_demo.joblib")
print(result["summary"]) # total_issues: 0
import joblib
joblib.load("safe_demo.joblib") # prints pip version
Disclosure
Submitted via huntr.com Model File Vulnerability program.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support