Joblib NDArrayWrapper Sidecar Scanner Bypass PoC

Security research PoC for responsible disclosure through Huntr's Model File Vulnerability program.

This repository demonstrates a scanner-bypass pattern for .joblib artifacts:

model.joblib contains a legacy joblib.numpy_pickle_compat.NDArrayWrapper.
The wrapper references weights.weights.
weights.weights is a valid NumPy object-array file with an unsupported extension.
joblib.load("model.joblib") resolves and loads the sidecar with allow_pickle=True.
ModelScan and PickleScan do not follow the sidecar reference and report no dangerous payload.

The payload is benign. Loading the model writes a marker file at /tmp/joblib_mfv_marker.txt.

Tested Versions

Python 3.12.13
joblib==1.5.3
modelscan==0.8.8
picklescan==1.0.4
numpy==2.4.5

Reproduce

python -m venv .venv
. .venv/bin/activate
pip install -r requirements.txt

rm -f /tmp/joblib_mfv_marker.txt
python reproduce.py
test -f /tmp/joblib_mfv_marker.txt && echo "marker created"

Scanner Checks

modelscan -p . -r json --show-skipped
picklescan -p . -g

Expected scanner behavior:

ModelScan scans model.joblib, skips weights.weights as unsupported, and reports 0 issues.
PickleScan reports 0 infected files and 0 dangerous globals for this artifact.

Expected load behavior:

joblib.load("model.joblib") creates /tmp/joblib_mfv_marker.txt.

Why This Matters

The dangerous pickle stream is not stored in the main .joblib file. It is stored in a sidecar file whose filename is controlled by the legacy Joblib wrapper. Scanners that only inspect the wrapper stream, or only scan NumPy files by extension, miss the payload that Joblib later loads.

This is distinct from generic pickle/joblib deserialization and from already-public compressed-joblib or inline NumPy object-array bypasses.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support