Hugging Face's logo

ryansecuritytest-fanpierlabs
/
joblib-path-traversal-poc

Joblib
security-research
proof-of-concept
vulnerability
Model card Files
xet
 Community

PoC: Joblib Path Traversal via NDArrayWrapper

Security vulnerability PoC for responsible disclosure via huntr.com.

Vulnerability

NDArrayWrapper.read() uses os.path.join(unpickler._dirname, self.filename) with no validation. Absolute paths in self.filename bypass the directory, enabling arbitrary file read.

File: joblib/numpy_pickle_compat.py, lines 97-111

Files

  • malicious_path_traversal.joblib โ€” Crafted joblib file
  • poc_joblib_path_traversal.py โ€” Full PoC script

Researcher

Ryan โ€” Fan Pier Labs (ryan@fanpierlabs.com)

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support