--- license: other tags: - security-research - joblib - model-file-vulnerability - scanner-bypass - compressed-joblib library_name: joblib --- # Compressed Joblib scanner bypass PoC This repository is a security research artifact for a huntr Model File Vulnerability report. **Do not load these files outside an isolated test environment.** ## Files ```text compressed_zlib.joblib reproduce.py requirements.txt ``` ## Summary `compressed_zlib.joblib` contains a harmless pickle payload inside a Joblib zlib-compressed persistence file. `picklescan` scans `.joblib` files as raw pickle bytes and reports zero dangerous globals for this compressed file. `joblib.load("compressed_zlib.joblib")` detects the Joblib compression magic, transparently decompresses the file, and then unpickles the payload. The payload writes this local marker file: ```text joblib_compressed_marker.txt ``` with this text: ```text JOBLIB_COMPRESSED_EXECUTED ``` ## Why this matters The same payload is detected when stored as a plain, uncompressed `.joblib` file. Compression changes scanner visibility but not loader behavior. This demonstrates a scanner/loader semantic gap for a documented Joblib feature: compressed persistence. ## Reproduction Use an isolated Python environment. ```bash python -m venv .venv source .venv/bin/activate pip install -r requirements.txt python reproduce.py ``` Expected result: ```text Directory scan: Dangerous globals: 0 Single-file scan: Dangerous globals: 0 Loader: joblib_compressed_marker.txt created: True marker text: JOBLIB_COMPRESSED_EXECUTED ``` ## Intended disclosure context This artifact is intended to demonstrate a model-file scanner/loader semantic gap for the huntr Model File Vulnerabilities program.