You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

F003 v2 — Joblib BinaryZlibFile unused_data OOM / Loader DoS

Status

This is a stronger evidence pack for existing F003. It is not a new finding ID.

Confirmed Claim

A crafted compressed .joblib file can cause joblib.load() to enter an unbounded decompression path in BinaryZlibFile._fill_buffer() by repeatedly feeding zlib unused_data back into a finished decompressor. This causes exponential unused_data growth and process-level denial of service.

PoC File

Path: poc/f003_unused_data_oom.joblib

SHA256: 9673f843f3d71ceb65db8764ea74ee58186b10083ccf66322a1b0e9d9033db0a

Size: 66 bytes

Confirmed Evidence

evidence/01_unused_data_growth.txt Shows deterministic unused_data doubling from 52 bytes to 436,207,616 bytes.
evidence/02_direct_joblib_load_oom_or_timeout.txt Shows direct joblib.load() of the crafted file inside a Docker memory limit.

Confirmed direct-load result: direct_load_rc=137

Safe Impact Statement

In applications or model-serving services that call joblib.load() on attacker-supplied .joblib files without subprocess isolation, memory limits, or timeout controls, each malicious file can terminate a loading worker. Multiple submissions can cause low-bandwidth worker or pod exhaustion.

Non-Claims

No RCE claimed.
No data theft claimed.
No host/container escape claimed.
No persistent outage after worker restart claimed.
No claim that every deployment is remotely exploitable.
No claim that every historical Joblib version is affected unless separately verified.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support