You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

joblib-01 PoC: MemorizedFunc / MemorizedResult pickle state forgery

Two crafted joblib artifacts, each 403 and 317 bytes. Neither contains a dangerous pickle opcode; picklescan and modelscan both report 0 issues on both files. The bug is not in joblib.load itself, it is in what happens when victim code calls the documented .clear() or .get() method on the object joblib.load just returned.

joblib01_malicious_clear_gadget.joblib Forged MemorizedFunc with a path-traversal func_id. Loading it is inert. Calling .clear(warn=False) on the loaded object reaches StoreBackendMixin.clear_path -> shutil.rmtree on a path outside the configured cache directory, deleting an attacker-chosen directory tree anywhere the process can write.

joblib01_malicious_get_gadget.joblib Forged MemorizedResult with a path-traversal _call_id. Loading it is inert. Calling .get() on the loaded object reaches StoreBackendMixin.load_item -> numpy_pickle.load on a second, attacker-planted file at a predictable redirected path. That second file (joblib01_stage2_output.pkl in this repo, normally placed at output.pkl inside the redirected directory) is a fresh, unrestricted pickle stream and can contain any REDUCE-based payload, giving full code execution. The delivered .joblib file itself never contains that payload, so a scanner that only inspects the delivered file sees nothing.

Full root cause, call chain, and reproduction script are in the huntr report and in the workspace finding joblib-01-memorizedfunc-memorizedresult-state-forgery-path-escape.md.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support