--- license: mit tags: - security-research - modelscan-bypass --- # Modelscan Bypass: code.InteractiveInterpreter + operator.methodcaller ## Summary This model file bypasses ProtectAI modelscan 0.7.6 (latest) scanner while achieving arbitrary code execution via Python's `code.InteractiveInterpreter` module combined with `operator.methodcaller`. ## Bypass Chain 1. `code.InteractiveInterpreter()` — creates a Python interactive interpreter instance 2. `operator.methodcaller("runsource", PAYLOAD)` — creates a callable that invokes `.runsource()` with arbitrary Python code 3. Chain executes: `interp.runsource(payload)` → arbitrary code execution ## Why It Works - `code` module is NOT in modelscan's `unsafe_globals` blocklist - `operator.methodcaller` is NOT blocked (only `operator.attrgetter` is blocked) - `InteractiveInterpreter.runsource()` calls `compile()` then `exec()` internally - modelscan only checks module+function pairs against its blocklist ## Modelscan Result ## Impact Full arbitrary code execution on model load via `pickle.load()` or `torch.load()`. ## Affected modelscan 0.7.6 (latest on PyPI as of 2026-04-10) ## Responsible Disclosure Submitted to Huntr for ProtectAI review.