README.md

# Joblib NDArrayWrapper Scanner Bypass PoC

## Vulnerability

`model.joblib` achieves arbitrary code execution via `joblib.load()` while bypassing both picklescan and modelscan.

The `.joblib` file contains a legacy `NDArrayWrapper` that references `model.weights`. On load, joblib calls `np.load("model.weights", allow_pickle=True)` — executing the pickle payload in the companion file.

## Scanner Results

```
picklescan -p .  →  Infected files: 0, Dangerous globals: 0
modelscan  -p .  →  No issues found!
```

## Reproduction

```python
import joblib
joblib.load("model.joblib")
# → executes payload from model.weights
```

## Root Cause

`joblib/numpy_pickle_compat.py` line 110: unconditional `allow_pickle=True`
`joblib/numpy_pickle_compat.py` line 99: no validation on attacker-controlled filename