Joblib ModelScan Scanner-Bypass PoC
This repository contains a benign proof of concept prepared for the Huntr
Model Format Vulnerability program. It demonstrates a false-negative clean
verdict in ModelScan 0.8.8 for a supported .joblib artifact.
Security notice
The .joblib file is intentionally crafted to demonstrate code execution
during deserialization. Do not load it outside an isolated research
environment. The provided payload only writes the text
MODEL_SCAN_BYPASS_CONFIRMED to a marker in the operating system's temporary
directory. It performs no network request, sensitive-file read, persistence, or
destructive action.
This submission does not claim that Joblib's documented Pickle-based loading behavior is itself a vulnerability. The reported issue is ModelScan's false-clean result.
Files
modelscan-joblib-bypass.joblib: PoC model file.generate_poc.py: standalone generator for the model file.requirements.txt: tested package versions.SHA256SUMS.txt: expected hashes for the model and generator.
Confirmed environment
modelscan==0.8.8
joblib==1.5.3
Python 3.12.13
pip 26.0.1
The loader environment must be able to import pip, and python must be
available on PATH for this portable marker demonstration.
Artifact
modelscan-joblib-bypass.joblib
SHA-256: 4fbe41c82418699f80b62f2607f5294b2a613fd66a421e362e7be17f1a52761d
The artifact was generated with:
joblib.dump(payload, output, compress=0, protocol=4)
It can be regenerated after installing the pinned requirements:
python -m pip install -r requirements.txt
python generate_poc.py
Reproduction
Always scan the artifact before loading it.
1. Confirm that the marker is absent
Linux:
rm -f /tmp/huntr_modelscan_joblib_bypass.txt
test ! -e /tmp/huntr_modelscan_joblib_bypass.txt
Windows PowerShell:
Remove-Item "$env:TEMP\huntr_modelscan_joblib_bypass.txt" -ErrorAction SilentlyContinue
Test-Path "$env:TEMP\huntr_modelscan_joblib_bypass.txt"
The expected PowerShell result is False.
2. Scan with ModelScan 0.8.8
modelscan -p modelscan-joblib-bypass.joblib -r json
The confirmed result is:
issues: 0
errors: 0
skipped: 0
scanned: 1
3. Confirm the clean result
This is a successful scan of a supported .joblib file, not an unsupported,
skipped, or parser-error result.
4. Load the same artifact
python -c "import joblib; print(repr(joblib.load('modelscan-joblib-bypass.joblib')))"
The confirmed loader output is:
''
5. Verify the benign marker
Loading creates:
- Linux:
/tmp/huntr_modelscan_joblib_bypass.txt - Windows:
%TEMP%\huntr_modelscan_joblib_bypass.txt
Its content is:
MODEL_SCAN_BYPASS_CONFIRMED
The technical root cause and impact analysis are provided in the Huntr submission.