Hugging Face's logo

dyngnosis
/
joblib-ndarray-wrapper-poc

Joblib
Model card Files
xet
 Community
joblib-ndarray-wrapper-poc / README.md
dyngnosis's picture
dyngnosis
Upload folder using huggingface_hub
15e7906 verified
preview code
|
raw
history blame contribute delete
815 Bytes

Joblib NDArrayWrapper Scanner Bypass PoC

Vulnerability

model.joblib achieves arbitrary code execution via joblib.load() while bypassing both picklescan and modelscan.

The .joblib file contains a legacy NDArrayWrapper that references model.weights. On load, joblib calls np.load("model.weights", allow_pickle=True) — executing the pickle payload in the companion file.

Scanner Results 

picklescan -p .  →  Infected files: 0, Dangerous globals: 0
modelscan  -p .  →  No issues found!

Reproduction 

import joblib
joblib.load("model.joblib")
# → executes payload from model.weights

Root Cause

joblib/numpy_pickle_compat.py line 110: unconditional allow_pickle=True joblib/numpy_pickle_compat.py line 99: no validation on attacker-controlled filename