--- license: mit tags: - security-research - modelscan-bypass - pickle-safety --- # modelscan-bypass-shelve ## Modelscan Bypass PoC — shelve.open **Severity**: MEDIUM **Impact**: Arbitrary file write — shelve.open(filename) creates database files at arbitrary paths **modelscan version**: 0.7.6 (latest on PyPI) **Result**: "No issues found!" ✅ (false negative) ### Chain `shelve.open("/target/path")` → creates .db files at arbitrary path ### Why It Works `shelve.open` is NOT in modelscan's `unsafe_globals` blocklist. `shelve` is NOT in the blocklist. Note: shelve uses pickle internally. ### Reproduction ```bash pip install modelscan modelscan scan -p bypass_poc.pkl # Output: "No issues found!" python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())" # Executes arbitrary code ``` ### Responsible Disclosure This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program.