ModelScan Jinja2 SSTI Bypass PoC
Category: Joblib MFV (Pickle Scanner Bypass) โ $4,000
Affected: ModelScan v0.8.8
Vulnerability Summary
ModelScan's PickleUnsafeOpScan uses a hardcoded blocklist of "unsafe" modules.
jinja2 (a popular template engine) is NOT in this blocklist. By crafting a pickle
payload that creates a jinja2.Template with an SSTI payload and calls .render(),
arbitrary code execution is achieved.
Attack Chain
jinja2.Template(ssti_payload)โ Template object (jinja2 NOT blocked)operator.methodcaller('render')(template)โ RCE (operator.methodcaller NOT blocked)
GLOBAL opcodes in pickle: jinja2.Template, operator.methodcaller
Both are absent from ModelScan's unsafe_globals blocklist.
Impact
Full Remote Code Execution in any environment with jinja2 installed.
PoC File
exploit_jinja.joblib โ valid Joblib file containing the exploit pickle.
modelscan reports: No issues found!
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support