Joblib inline object-array nested pickle bypass PoC
This repository hosts a benign security research PoC for a Joblib scanner-bypass leading to subprocess execution during joblib.load().
Files
malicious_inline_object_array.joblib
Behavior
The artifact is a single .joblib file containing an inline object-dtype NumPy array.
Its top-level stream restores joblib.numpy_pickle.NumpyArrayWrapper, then NumpyArrayWrapper.read_array(...) opens a nested pickle for the object-array payload. That nested payload reduces to joblib.testing.check_subprocess_call(...).
Observed scanner behavior on the research machine:
picklescan 1.0.4:Infected files: 0modelscan 0.8.8: internalPickleUnsafeOpScanerror, but final output still saysNo issues found!
Reproduction
python3 - <<'PY'
import joblib, os
marker = "/tmp/mfv_joblib_nested_object_array_20260626.txt"
try:
os.unlink(marker)
except FileNotFoundError:
pass
joblib.load("malicious_inline_object_array.joblib")
print(open(marker).read().strip())
PY
Observed output:
nested_joblib_testing
Safety note
This artifact is a non-benign security research PoC. Load it only inside an isolated test environment.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support