--- license: mit tags: - security-research - modelscan-bypass - pickle-safety --- # modelscan-bypass-code-interpreter ## Modelscan Bypass PoC — code.InteractiveInterpreter **Severity**: CRITICAL **Impact**: Full RCE via exec() — code.InteractiveInterpreter.runsource() calls exec() on arbitrary Python code **modelscan version**: 0.7.6 (latest on PyPI) **Result**: "No issues found!" ✅ (false negative) ### Chain `code.InteractiveInterpreter()` → `operator.methodcaller("runsource", malicious_code)` → `exec(malicious_code)` ### Why It Works `code.InteractiveInterpreter` is NOT in modelscan's `unsafe_globals` blocklist. Neither `code` module nor `operator.methodcaller` are blocked. ### Reproduction ```bash pip install modelscan modelscan scan -p bypass_poc.pkl # Output: "No issues found!" python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())" # Executes arbitrary code ``` ### Responsible Disclosure This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program.