Joblib Unrestricted Pickle Deserialization PoC

⚠️ SECURITY RESEARCH ONLY ⚠️

Vulnerability

joblib.load() uses NumpyUnpickler (inherits from pickle.Unpickler) without overriding find_class(), allowing arbitrary code execution during deserialization of untrusted .joblib files.

File: joblib/numpy_pickle.py:398
Commit: 5d1653ae4dfc1f4f01850dbe32acc080e15ccb8e
CVSS: 9.8 (Critical)

Proof of Concept

import joblib
# Loading this triggers arbitrary code execution
model = joblib.load("malicious_model.joblib")
# Proof: /tmp/joblib_pwned.txt created

Impact

Any application using joblib.load() on untrusted .joblib files is vulnerable to Remote Code Execution. This includes ML pipelines loading serialized models from Hugging Face, shared storage, or user uploads.

Files

malicious_model.joblib - Simple RCE PoC
malicious_numpy_model.joblib - Numpy-wrapped variant

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support