ModelScan Bypass PoC - pip.main Deserialization

Security research PoC for responsible disclosure via huntr.com.

Files

  • safe_demo.joblib: Calls pip.main(["--version"]) when loaded. Bypasses ModelScan.
  • rce_proof.joblib: Calls pip.main(["install", ...]) when loaded. Bypasses ModelScan.

Vulnerability

ModelScan v0.8.8 does not include pip in its unsafe globals blacklist. A malicious .joblib file can call pip.main() to install arbitrary packages, which can execute arbitrary code via setup.py.

Reproduction

from modelscan.modelscan import ModelScan
scanner = ModelScan()
result = scanner.scan("safe_demo.joblib")
print(result["summary"])  # total_issues: 0

import joblib
joblib.load("safe_demo.joblib")  # prints pip version

Disclosure

Submitted via huntr.com Model File Vulnerability program.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support