| --- |
| license: mit |
| tags: |
| - security-research |
| - proof-of-concept |
| - vulnerability-disclosure |
| --- |
| |
| # Security Research: Compressed Joblib Scanner Evasion PoC |
|
|
| > **WARNING:** This repository contains proof-of-concept model files for security research purposes only. |
| > These files demonstrate a scanner evasion vulnerability and should NOT be loaded on production systems. |
|
|
| ## Purpose |
|
|
| This repository hosts PoC model files demonstrating that compressed Joblib files bypass |
| ModelScan v0.8.8 and Picklescan v1.0.4 static analysis while containing arbitrary code |
| execution payloads. |
|
|
| ## Files |
|
|
| | File | Description | Scanner Result | |
| |------|-------------|----------------| |
| | `malicious_compressed.joblib` | LZMA-compressed payload via `exec()` | **0 issues** (both scanners) | |
| | `malicious_uncompressed.joblib` | Same payload, no compression | **Detected** (both scanners) | |
| | `benign_reference.joblib` | Clean model for comparison | Clean | |
|
|
| ## Reproduction |
|
|
| ```bash |
| pip install joblib==1.5.3 modelscan==0.8.8 picklescan==1.0.4 |
| |
| # Scan compressed — MISSED |
| modelscan --path malicious_compressed.joblib |
| picklescan --path malicious_compressed.joblib |
| |
| # Scan uncompressed — DETECTED |
| modelscan --path malicious_uncompressed.joblib |
| picklescan --path malicious_uncompressed.joblib |
| |
| # Load compressed — ACE triggers |
| python -c "import joblib; joblib.load('malicious_compressed.joblib')" |
| ``` |
|
|
| ## Responsible Disclosure |
|
|
| This vulnerability has been reported via Huntr's MFV bounty program. |
|
|
