YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Joblib RCE PoC - importlib.import_module + operator.methodcaller ModelScan Bypass
Vulnerability
Malicious .joblib file achieves Remote Code Execution via pickle deserialization using importlib.import_module + operator.methodcaller, bypassing ModelScan's unsafe_globals blocklist.
ModelScan Bypass
ModelScan's pickle scanner checks GLOBAL/STACK_GLOBAL opcodes against a blocklist. This payload only uses:
importlib.import_module(NOT in blocklist)operator.methodcaller(NOT in blocklist - onlyoperator.attrgetteris blocked)
These two functions are chained to achieve arbitrary command execution:
importlib.import_module("os")dynamically imports the os moduleoperator.methodcaller("system", cmd)creates a callable that invokes.system(cmd)- Applying the methodcaller to the os module executes
os.system(cmd)
Reproduction
import joblib
model = joblib.load("model.joblib") # RCE occurs here
Check /tmp/joblib_rce_proof for execution evidence.
Impact
Arbitrary command execution when a user loads a malicious .joblib model file.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support