You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Compressed Joblib scanner bypass PoC

This repository is a security research artifact for a huntr Model File Vulnerability report.

Do not load these files outside an isolated test environment.

Files

compressed_zlib.joblib
reproduce.py
requirements.txt

Summary

compressed_zlib.joblib contains a harmless pickle payload inside a Joblib zlib-compressed persistence file.

picklescan scans .joblib files as raw pickle bytes and reports zero dangerous globals for this compressed file. joblib.load("compressed_zlib.joblib") detects the Joblib compression magic, transparently decompresses the file, and then unpickles the payload.

The payload writes this local marker file:

joblib_compressed_marker.txt

with this text:

JOBLIB_COMPRESSED_EXECUTED

Why this matters

The same payload is detected when stored as a plain, uncompressed .joblib file. Compression changes scanner visibility but not loader behavior.

This demonstrates a scanner/loader semantic gap for a documented Joblib feature: compressed persistence.

Reproduction

Use an isolated Python environment.

python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python reproduce.py

Expected result:

Directory scan:
Dangerous globals: 0

Single-file scan:
Dangerous globals: 0

Loader:
joblib_compressed_marker.txt created: True
marker text: JOBLIB_COMPRESSED_EXECUTED

Intended disclosure context

This artifact is intended to demonstrate a model-file scanner/loader semantic gap for the huntr Model File Vulnerabilities program.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support