Pickle Scanner Bypass via `mailcap.findmatch`

Bypasses picklescan and modelscan.

The Vulnerability

Python's deprecated mailcap module (removed in Python 3.13) exposes findmatch() which executes mailcap entry test commands via os.system(). Neither scanner blocks mailcap imports.

How it works

pickle.loads() imports mailcap.findmatch
Calls findmatch(caps, type, 'view', filename) where caps contains a crafted entry with 'test': '<shell_command>'
findmatch() internally runs os.system(test_command)

Files

malicious.pkl — Minimal pickle payload (140 bytes)
poc.py — Python script that generates and demonstrates the payload

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support

Pickle Scanner Bypass via mailcap.findmatch

The Vulnerability

How it works

Files

Pickle Scanner Bypass via `mailcap.findmatch`