README.md

F003 v2 — Joblib BinaryZlibFile unused_data OOM / Loader DoS

Status

This is a stronger evidence pack for existing F003. It is not a new finding ID.

Confirmed Claim

A crafted compressed .joblib file can cause joblib.load() to enter an unbounded decompression path in BinaryZlibFile._fill_buffer() by repeatedly feeding zlib unused_data back into a finished decompressor. This causes exponential unused_data growth and process-level denial of service.

PoC File

Path: poc/f003_unused_data_oom.joblib

SHA256: 9673f843f3d71ceb65db8764ea74ee58186b10083ccf66322a1b0e9d9033db0a

Size: 66 bytes

Confirmed Evidence

• evidence/01_unused_data_growth.txt Shows deterministic unused_data doubling from 52 bytes to 436,207,616 bytes.

• evidence/02_direct_joblib_load_oom_or_timeout.txt Shows direct joblib.load() of the crafted file inside a Docker memory limit.

Confirmed direct-load result: direct_load_rc=137

Safe Impact Statement

In applications or model-serving services that call joblib.load() on attacker-supplied .joblib files without subprocess isolation, memory limits, or timeout controls, each malicious file can terminate a loading worker. Multiple submissions can cause low-bandwidth worker or pod exhaustion.

Non-Claims

• No RCE claimed.
• No data theft claimed.
• No host/container escape claimed.
• No persistent outage after worker restart claimed.
• No claim that every deployment is remotely exploitable.
• No claim that every historical Joblib version is affected unless separately verified.