Hugging Face's logo

01data-ai
/
joblib_f003_unused_data_oom_dos

Joblib
Model card Files
xet
 Community
joblib_f003_unused_data_oom_dos / README.md
01data-ai's picture
01data-ai
Upload 7 files
14fd22f verified
preview code
|
raw
history blame contribute delete
1.54 kB
# F003 v2 — Joblib BinaryZlibFile unused_data OOM / Loader DoS
## Status
This is a stronger evidence pack for existing F003. It is not a new finding ID.
## Confirmed Claim
A crafted compressed .joblib file can cause joblib.load() to enter an unbounded decompression path in BinaryZlibFile._fill_buffer() by repeatedly feeding zlib unused_data back into a finished decompressor. This causes exponential unused_data growth and process-level denial of service.
## PoC File
Path:
poc/f003_unused_data_oom.joblib
SHA256:
9673f843f3d71ceb65db8764ea74ee58186b10083ccf66322a1b0e9d9033db0a
Size:
66 bytes
## Confirmed Evidence
- evidence/01_unused_data_growth.txt
 Shows deterministic unused_data doubling from 52 bytes to 436,207,616 bytes.
- evidence/02_direct_joblib_load_oom_or_timeout.txt
 Shows direct joblib.load() of the crafted file inside a Docker memory limit.
Confirmed direct-load result:
direct_load_rc=137
## Safe Impact Statement
In applications or model-serving services that call joblib.load() on attacker-supplied .joblib files without subprocess isolation, memory limits, or timeout controls, each malicious file can terminate a loading worker. Multiple submissions can cause low-bandwidth worker or pod exhaustion.
## Non-Claims
- No RCE claimed.
- No data theft claimed.
- No host/container escape claimed.
- No persistent outage after worker restart claimed.
- No claim that every deployment is remotely exploitable.
- No claim that every historical Joblib version is affected unless separately verified.