Joblib loky cloudpickle-wrapper nested-pickle PoC

This repository contains a bounded security research PoC for a scanner-clean .joblib artifact that invokes joblib.externals.loky.cloudpickle_wrapper._reconstruct_wrapper during joblib.load(). The scanner-visible top-level pickle only references the wrapper helper, while the dangerous pickle stream is stored as bytes and loaded inside cloudpickle.loads().

Files

control_plain_dict.joblib - benign control artifact.
malicious_loky_cloudpickle_wrapper_nested.joblib - triggers the nested pickle and writes a marker file in the reproduction temp directory.
reproduce.py - loads each artifact and reports whether the marker exists.
requirements.txt - tested dependencies.

Exact public file URLs:

https://huggingface.co/hacnho/joblib-loky-cloudpickle-wrapper-nested-ace-poc/resolve/main/control_plain_dict.joblib
https://huggingface.co/hacnho/joblib-loky-cloudpickle-wrapper-nested-ace-poc/resolve/main/malicious_loky_cloudpickle_wrapper_nested.joblib
https://huggingface.co/hacnho/joblib-loky-cloudpickle-wrapper-nested-ace-poc/resolve/main/reproduce.py
https://huggingface.co/hacnho/joblib-loky-cloudpickle-wrapper-nested-ace-poc/resolve/main/requirements.txt

Tested Environment

joblib==1.5.3
picklescan==1.0.4
modelscan==0.8.8

Reproduction

python3 -m venv /tmp/joblib-cloudpickle-wrapper-poc
/tmp/joblib-cloudpickle-wrapper-poc/bin/pip install -U pip
/tmp/joblib-cloudpickle-wrapper-poc/bin/pip install -r requirements.txt
/tmp/joblib-cloudpickle-wrapper-poc/bin/python reproduce.py *.joblib

Expected marker for the malicious artifact:

mfv_loky_cloudpickle_wrapper_marker.txt

Scanner results:

picklescan==1.0.4: infected_files = 0, issues_count = 0.
modelscan==0.8.8: No issues found!.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support