Joblib ModelScan Bypass PoC

This is a harmless proof-of-concept for a .joblib model-file scanner bypass.

The payload uses Python's standard-library pydoc.pipepager callable. Loading the file with joblib.load() executes a shell command, but ModelScan's pickle scanner reports zero issues because pydoc is not included in its unsafe-global denylist.

The payload command only writes modelscan_bypass_marker.txt in the current working directory.

Files

  • poc_joblib_windows.joblib - Windows PoC payload; harmless marker via cmd /c.
  • poc_joblib_posix.joblib - Linux/macOS PoC payload; harmless marker via sh -c.
  • verify_poc.py - runs ModelScan first, then loads the payload with joblib.load() and checks the marker.
  • requirements.txt - tested with modelscan==0.8.8 and joblib==1.5.3.
  • modelscan_result_pypi_windows.json - primary Windows verification using PyPI modelscan==0.8.8: 0 issues, 0 errors.
  • modelscan_result_recheck_windows.json - second Windows recheck showing the same bypass result.
  • modelscan_result_posix.json - POSIX verification result.
  • generate_poc.py - generates the .joblib payload files.
  • huntr_report_draft.md - draft report text for Huntr.

Reproduce

Install runtime dependencies:

pip install joblib modelscan

Generate payloads:

python generate_poc.py --out-dir .

Verify on Windows:

python verify_poc.py --payload poc_joblib_windows.joblib

Verify on Linux/macOS:

python verify_poc.py --payload poc_joblib_posix.joblib

Expected result:

ModelScan issues: 0
ModelScan errors: 0
Marker created by joblib.load: True
Marker contents: MODEL_SCAN_BYPASS

Impact

This demonstrates arbitrary command execution when a .joblib file is loaded, while the same file passes ModelScan with no issues. This fits the high-value Model File Vulnerability category for scanner bypass and code execution through model loading.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support