YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan Bypass β Arbitrary Code Execution in .joblib via cProfile.run gadget
Proof-of-concept for a Huntr Model File Format report.
model.joblib runs code on joblib.load() while ModelScan reports it clean.
The malicious __reduce__ uses cProfile.run β a code-executing stdlib callable that is
not on ModelScan's PickleUnsafeOpScan denylist β and hides the command in a string
argument the scanner never inspects.
Files
model.joblibβ the PoC model file (benign payload: writesmodelscan_poc_executed.txt)exploit.pyβ builds the model, scans it with ModelScan, loads it, prints the result
Reproduce
pip install joblib modelscan
# 1) scanner says it is safe:
modelscan -p model.joblib # -> No issues found! π
# 2) loading it executes code:
python -c "import joblib; joblib.load('model.joblib')"
ls modelscan_poc_executed.txt # marker proves code ran on load
# or run everything at once:
python exploit.py # -> No issues found (BYPASS) + CODE EXECUTED
Impact
ModelScan is used to gate untrusted models in MLOps pipelines / model hubs. This file passes the scan as clean yet achieves arbitrary code execution on load β defeating the control. Verified on modelscan 0.8.6 / joblib 1.5.3.
The payload here is benign (writes a marker file). Swap the command in exploit.py to confirm
real command execution.