--- tags: - security - proof-of-concept - joblib - pickle - scanner-bypass --- # Joblib inline object-array nested pickle bypass PoC This repository hosts a benign security research PoC for a Joblib scanner-bypass leading to subprocess execution during `joblib.load()`. ## Files - `malicious_inline_object_array.joblib` ## Behavior The artifact is a single `.joblib` file containing an inline object-dtype NumPy array. Its top-level stream restores `joblib.numpy_pickle.NumpyArrayWrapper`, then `NumpyArrayWrapper.read_array(...)` opens a nested pickle for the object-array payload. That nested payload reduces to `joblib.testing.check_subprocess_call(...)`. Observed scanner behavior on the research machine: - `picklescan 1.0.4`: `Infected files: 0` - `modelscan 0.8.8`: internal `PickleUnsafeOpScan` error, but final output still says `No issues found!` ## Reproduction ```bash python3 - <<'PY' import joblib, os marker = "/tmp/mfv_joblib_nested_object_array_20260626.txt" try: os.unlink(marker) except FileNotFoundError: pass joblib.load("malicious_inline_object_array.joblib") print(open(marker).read().strip()) PY ``` Observed output: ```text nested_joblib_testing ``` ## Safety note This artifact is a non-benign security research PoC. Load it only inside an isolated test environment.