LUOYE-LLM's picture
Upload 4 files
740f916 verified
|
Raw
History Blame Contribute Delete
1.77 kB
metadata
license: other
tags:
  - security-research
  - joblib
  - model-file-vulnerability
  - scanner-bypass
  - compressed-joblib
library_name: joblib

Compressed Joblib scanner bypass PoC

This repository is a security research artifact for a huntr Model File Vulnerability report.

Do not load these files outside an isolated test environment.

Files

compressed_zlib.joblib
reproduce.py
requirements.txt

Summary

compressed_zlib.joblib contains a harmless pickle payload inside a Joblib zlib-compressed persistence file.

picklescan scans .joblib files as raw pickle bytes and reports zero dangerous globals for this compressed file. joblib.load("compressed_zlib.joblib") detects the Joblib compression magic, transparently decompresses the file, and then unpickles the payload.

The payload writes this local marker file:

joblib_compressed_marker.txt

with this text:

JOBLIB_COMPRESSED_EXECUTED

Why this matters

The same payload is detected when stored as a plain, uncompressed .joblib file. Compression changes scanner visibility but not loader behavior.

This demonstrates a scanner/loader semantic gap for a documented Joblib feature: compressed persistence.

Reproduction

Use an isolated Python environment.

python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python reproduce.py

Expected result:

Directory scan:
Dangerous globals: 0

Single-file scan:
Dangerous globals: 0

Loader:
joblib_compressed_marker.txt created: True
marker text: JOBLIB_COMPRESSED_EXECUTED

Intended disclosure context

This artifact is intended to demonstrate a model-file scanner/loader semantic gap for the huntr Model File Vulnerabilities program.