Joblib F002 NDArrayWrapper Path Traversal
Payload repository for Huntr / ProtectAI triage. Finding: Joblib Model Load Path Traversal Reads External .npy Files via NDArrayWrapper.filename in Joblib. Primary payload: F002/f002_traversal.joblib Payload SHA256: 6f17bbd8c0952b6e4a8c44e889088f7f2290d8794040a09989ca5cb3f8df360f Confirmed behavior: A crafted Joblib file containing legacy NDArrayWrapper metadata with filename ../private/secret_embeddings.npy causes joblib.load() to read and return a controlled .npy file outside the upload/model directory. Live proof: The uploaded model was saved under /work/uploads/... and caused Joblib 1.5.3 to read /work/private/secret_embeddings.npy, returning array([3.14159, 2.71828, 1.61803]) with status LOAD_OK. Supporting files:
- F002/f002_traversal.joblib
- F002/f002_sha256.txt
- F002/f002_hex_head.txt
- F002/container_secret_setup.txt
- responses/F002_live_load_response.json
- PROOF_SUMMARY.md This repository intentionally contains only Joblib F002 NDArrayWrapper path traversal artifacts.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support