README.md

metadata

tags:
  - security-research
  - vulnerability-poc

ModelScan Scanner Bypass — Arbitrary Code Execution PoC

WARNING: This repository contains proof-of-concept files for a security vulnerability. Do NOT load these files with pickle.load() or joblib.load() on a production system.

Vulnerability

ModelScan's unsafe_globals blocklist does not include ctypes or operator.methodcaller, allowing a malicious pickle/joblib model file to achieve arbitrary code execution while passing ModelScan's safety scanner with zero detections.

Files

• modelscan-bypass-rce.pkl — 66-byte pickle payload that executes id via ctypes.CDLL(None).system()
• modelscan-bypass-rce.joblib — Same payload in joblib format
• modelscan-bypass-poc.py — PoC script with generate/verify/analyze commands

Affected

• ModelScan <= 0.8.8 (all versions)
• All pickle-based model formats: .pkl, .joblib, .pickle, .dat, .data

Reproduction

# Generate malicious model files
python3 modelscan-bypass-poc.py generate

# Scan with ModelScan — should report NO issues
modelscan -p ./malicious-model.joblib

# Verify RCE
python3 modelscan-bypass-poc.py verify

Responsible Disclosure

This PoC is submitted via huntr.com as part of the Model File Vulnerability (MFV) program.