Hugging Face's logo

sfwani
/
mfv-forwardref-chain-joblib

Joblib
security-research
mfv
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

MFV PoC: typing.ForwardRef Pickle Chain (Scanner Bypass)

WARNING: This repository contains a proof-of-concept malicious model file for security research purposes only.

Vulnerability

The file malicious_model.joblib contains a pickle payload that achieves arbitrary code execution when loaded via joblib.load() or pickle.load(). The payload uses typing.ForwardRef and typing.get_type_hints to trigger compile() + eval() internally, bypassing all major model file scanners.

Reproduction 

import joblib
# This will execute: touch /tmp/pwned
model = joblib.load("malicious_model.joblib")

Scanner Results

  • picklescan 1.0.4: 0 issues, 0 infected files
  • modelscan: "No issues found"
  • fickling: No specific dangerous import flagged

GLOBAL References (none on any denylist)

  • typing.ForwardRef
  • typing.get_type_hints
  • builtins.type
  • builtins.object
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support