Hugging Face's logo

artqcid
/
joblib-scanner-bypass-poc

Joblib
security-research
vulnerability-poc
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

PoC: Nested Pickle Scanner Bypass in joblib

Security Research โ€” This repository demonstrates a vulnerability in the joblib file format for authorized bug bounty research (Huntr Models program).

Vulnerability

Object-type NumPy arrays in .joblib files trigger a hidden pickle.load() call that bypasses security scanners (including ProtectAI ModelScan) inspecting only the top-level pickle stream.

Scanner Bypass Proof 

$ modelscan -p poc_issue_01_model.joblib
--- Summary ---
No issues found!

Yet loading the file executes arbitrary code:

import joblib
result = joblib.load('poc_issue_01_model.joblib')
# Check: poc_issue_01_output.txt was created -> code execution confirmed

Impact

Arbitrary code execution when loading untrusted .joblib files from repositories like HuggingFace. The payload is invisible to automated security scanners.

Affected Code

  • joblib/numpy_pickle.py โ€” NumpyArrayWrapper.read_array() calls pickle.load() for object-type arrays without scanner visibility.

Disclaimer

This PoC contains a harmless payload (writes a text file). It is intended solely for authorized security research under the Huntr bug bounty program.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support