| tags: | |
| - security | |
| - proof-of-concept | |
| - joblib | |
| - pickle | |
| - scanner-bypass | |
| # Joblib inline object-array nested pickle bypass PoC | |
| This repository hosts a benign security research PoC for a Joblib scanner-bypass leading to subprocess execution during `joblib.load()`. | |
| ## Files | |
| - `malicious_inline_object_array.joblib` | |
| ## Behavior | |
| The artifact is a single `.joblib` file containing an inline object-dtype NumPy array. | |
| Its top-level stream restores `joblib.numpy_pickle.NumpyArrayWrapper`, then `NumpyArrayWrapper.read_array(...)` opens a nested pickle for the object-array payload. That nested payload reduces to `joblib.testing.check_subprocess_call(...)`. | |
| Observed scanner behavior on the research machine: | |
| - `picklescan 1.0.4`: `Infected files: 0` | |
| - `modelscan 0.8.8`: internal `PickleUnsafeOpScan` error, but final output still says `No issues found!` | |
| ## Reproduction | |
| ```bash | |
| python3 - <<'PY' | |
| import joblib, os | |
| marker = "/tmp/mfv_joblib_nested_object_array_20260626.txt" | |
| try: | |
| os.unlink(marker) | |
| except FileNotFoundError: | |
| pass | |
| joblib.load("malicious_inline_object_array.joblib") | |
| print(open(marker).read().strip()) | |
| PY | |
| ``` | |
| Observed output: | |
| ```text | |
| nested_joblib_testing | |
| ``` | |
| ## Safety note | |
| This artifact is a non-benign security research PoC. Load it only inside an isolated test environment. | |