ModelScan Bypass PoC β _io.open Chain
Security research: pickle file that bypasses ProtectAI modelscan scanner while achieving arbitrary file read via _io.open + operator.methodcaller.
For responsible disclosure via Huntr MFV program only.
Chain
_io.open('/etc/passwd', 'r')β opens arbitrary file (builtins.open is blocked but_io.openis not)operator.methodcaller('read')β reads file contents (onlyattrgetteris blocked)- Chains together:
methodcaller(file_handle)β returns file contents
Modelscan Result
No issues found! π
Impact
Arbitrary file read bypassing modelscan's pickle safety scanner. Can exfiltrate SSH keys, credentials, cloud tokens.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support