You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

Joblib ModelScan Scanner-Bypass PoC

This repository contains a benign proof of concept prepared for the Huntr Model Format Vulnerability program. It demonstrates a false-negative clean verdict in ModelScan 0.8.8 for a supported .joblib artifact.

Security notice

The .joblib file is intentionally crafted to demonstrate code execution during deserialization. Do not load it outside an isolated research environment. The provided payload only writes the text MODEL_SCAN_BYPASS_CONFIRMED to a marker in the operating system's temporary directory. It performs no network request, sensitive-file read, persistence, or destructive action.

This submission does not claim that Joblib's documented Pickle-based loading behavior is itself a vulnerability. The reported issue is ModelScan's false-clean result.

Files

  • modelscan-joblib-bypass.joblib: PoC model file.
  • generate_poc.py: standalone generator for the model file.
  • requirements.txt: tested package versions.
  • SHA256SUMS.txt: expected hashes for the model and generator.

Confirmed environment

modelscan==0.8.8
joblib==1.5.3
Python 3.12.13
pip 26.0.1

The loader environment must be able to import pip, and python must be available on PATH for this portable marker demonstration.

Artifact

modelscan-joblib-bypass.joblib
SHA-256: 4fbe41c82418699f80b62f2607f5294b2a613fd66a421e362e7be17f1a52761d

The artifact was generated with:

joblib.dump(payload, output, compress=0, protocol=4)

It can be regenerated after installing the pinned requirements:

python -m pip install -r requirements.txt
python generate_poc.py

Reproduction

Always scan the artifact before loading it.

1. Confirm that the marker is absent

Linux:

rm -f /tmp/huntr_modelscan_joblib_bypass.txt
test ! -e /tmp/huntr_modelscan_joblib_bypass.txt

Windows PowerShell:

Remove-Item "$env:TEMP\huntr_modelscan_joblib_bypass.txt" -ErrorAction SilentlyContinue
Test-Path "$env:TEMP\huntr_modelscan_joblib_bypass.txt"

The expected PowerShell result is False.

2. Scan with ModelScan 0.8.8

modelscan -p modelscan-joblib-bypass.joblib -r json

The confirmed result is:

issues:  0
errors:  0
skipped: 0
scanned: 1

3. Confirm the clean result

This is a successful scan of a supported .joblib file, not an unsupported, skipped, or parser-error result.

4. Load the same artifact

python -c "import joblib; print(repr(joblib.load('modelscan-joblib-bypass.joblib')))"

The confirmed loader output is:

''

5. Verify the benign marker

Loading creates:

  • Linux: /tmp/huntr_modelscan_joblib_bypass.txt
  • Windows: %TEMP%\huntr_modelscan_joblib_bypass.txt

Its content is:

MODEL_SCAN_BYPASS_CONFIRMED

The technical root cause and impact analysis are provided in the Huntr submission.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support