Hugging Face's logo

vafagundesbb
/
mljar-supervised-rce-poc

Joblib
security
proof-of-concept
huntr
mljar-supervised
deserialization
Model card Files
xet
 Community

Security PoC β€” Remote Code Execution in mljar-supervised via unsafe joblib model loading

This repository is a proof-of-concept for a security vulnerability reported through huntr (Model File Vulnerability program), published only as evidence for responsible disclosure. The payload runs a harmless touch command. Do not load untrusted mljar-supervised model directories on a machine you care about.

What this demonstrates

mljar-supervised restores a saved AutoML model from a directory via the public AutoML.load(path) / AutoML(results_path=path) API. For each learner it calls joblib.load() on the learner file (supervised/algorithms/sklearn.py:53). joblib.load deserializes with pickle, so a learner file with a __reduce__ gadget executes arbitrary code. Loading an untrusted model directory = remote code execution. There is no safe-load option. Model file format: Joblib.

mljar documents saving models to a directory and a "Share/Deploy model as App" feature, so loading model directories from other parties is an intended workflow.

Files

  • evil_model_dir/ β€” a real mljar model directory whose learner file (1_DecisionTree/learner_fold_0.decision_tree, named in framework.json["saved"]) was replaced with a malicious pickle whose __reduce__ runs os.system.
  • load_poc.py β€” loads the directory through the public AutoML API and triggers the sink.

Reproduce 

pip install mljar-supervised      # 1.3.0
python load_poc.py                # creates /tmp/PWNED_MLJAR via os.system during load
ls -la /tmp/PWNED_MLJAR            # file exists => arbitrary code executed

Root cause (and fix)

supervised/algorithms/sklearn.py:

def load(self, model_file_path):
    self.model = joblib.load(model_file_path)   # joblib == pickle -> RCE on untrusted file

Reached from AutoML(results_path=dir) β†’ ModelFramework.load (reads framework.json["saved"]) β†’ AlgorithmFactory.load β†’ SklearnAlgorithm.load β†’ joblib.load. No allowlist, no safe flag.

Fix: don't joblib.load learner files from untrusted directories; validate provenance or load parameters in a non-executable form; document model directories as executable artifacts.

Disclosure

Reported via huntr. CWE-502 / CWE-94. Model file format: Joblib.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support