ModelScan Jinja2 SSTI Bypass PoC

Category: Joblib MFV (Pickle Scanner Bypass) โ€” $4,000

Affected: ModelScan v0.8.8

Vulnerability Summary

ModelScan's PickleUnsafeOpScan uses a hardcoded blocklist of "unsafe" modules. jinja2 (a popular template engine) is NOT in this blocklist. By crafting a pickle payload that creates a jinja2.Template with an SSTI payload and calls .render(), arbitrary code execution is achieved.

Attack Chain

  1. jinja2.Template(ssti_payload) โ†’ Template object (jinja2 NOT blocked)
  2. operator.methodcaller('render')(template) โ†’ RCE (operator.methodcaller NOT blocked)

GLOBAL opcodes in pickle: jinja2.Template, operator.methodcaller Both are absent from ModelScan's unsafe_globals blocklist.

Impact

Full Remote Code Execution in any environment with jinja2 installed.

PoC File

exploit_jinja.joblib โ€” valid Joblib file containing the exploit pickle. modelscan reports: No issues found!

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support