hacnho's picture
Upload README.md with huggingface_hub
bff2ce0 verified
|
Raw
History Blame Contribute Delete
1.32 kB
metadata
tags:
  - security
  - proof-of-concept
  - joblib
  - pickle
  - scanner-bypass

Joblib inline object-array nested pickle bypass PoC

This repository hosts a benign security research PoC for a Joblib scanner-bypass leading to subprocess execution during joblib.load().

Files

  • malicious_inline_object_array.joblib

Behavior

The artifact is a single .joblib file containing an inline object-dtype NumPy array.

Its top-level stream restores joblib.numpy_pickle.NumpyArrayWrapper, then NumpyArrayWrapper.read_array(...) opens a nested pickle for the object-array payload. That nested payload reduces to joblib.testing.check_subprocess_call(...).

Observed scanner behavior on the research machine:

  • picklescan 1.0.4: Infected files: 0
  • modelscan 0.8.8: internal PickleUnsafeOpScan error, but final output still says No issues found!

Reproduction

python3 - <<'PY'
import joblib, os
marker = "/tmp/mfv_joblib_nested_object_array_20260626.txt"
try:
    os.unlink(marker)
except FileNotFoundError:
    pass
joblib.load("malicious_inline_object_array.joblib")
print(open(marker).read().strip())
PY

Observed output:

nested_joblib_testing

Safety note

This artifact is a non-benign security research PoC. Load it only inside an isolated test environment.