Hugging Face's logo

Rammadaeus
/
poc-joblib-compression-scanner-bypass

Joblib
Model card Files
xet
Community
Rammadaeus commited on
Commit
54b2ff2
·
verified ·
1 Parent(s): 5d8738e

Add PoC and reproduction instructions

Browse files
Files changed (1) hide show
  1. README.md +20 -0
README.md ADDED
@@ -0,0 +1,20 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # PoC: Joblib Compressed Pickle Bypasses ML Security Scanners
2
+
3
+ **Format:** Joblib (.joblib)
4
+ **Target:** PickleScan + ModelScan
5
+ **CWE:** CWE-502 (Deserialization of Untrusted Data)
6
+
7
+ ## Vulnerability
8
+
9
+ Joblib compressed pickles bypass both PickleScan and ModelScan. The scanners use `pickletools.genops()` which cannot parse compressed data, reporting files as clean. `joblib.load()` handles decompression and executes the embedded payload.
10
+
11
+ ## Reproduction
12
+
13
+ ```bash
14
+ pip install picklescan modelscan
15
+ picklescan -p poc_joblib_bypass.joblib # Reports: Infected files: 0
16
+ modelscan scan -p poc_joblib_bypass.joblib # Reports: No issues found!
17
+ python3 -c "import joblib; joblib.load('poc_joblib_bypass.joblib')" # Executes payload
18
+ ```
19
+
20
+ **Tested:** PickleScan 1.0.3, ModelScan 0.8.7