Joblib OOM PoC β CWE-789
A 289-byte .joblib file that forces 3.73 GB memory allocation when loaded.
Summary
CWE-789: Uncontrolled Memory Allocation in NumpyArrayWrapper.read_array().
Shape metadata from the deserialized file is used directly in np.empty(count, dtype)
without bounds checking. Shape (500000000,) forces 3.73 GB allocation from 289 bytes.
- Amplification: 289 bytes β 3.73 GB (13.8 million to 1)
- Affected: joblib <= 1.4.2 (all versions, latest included)
- Attack path:
joblib.load()β NumpyArrayWrapper βnp.empty(count, dtype)
Reproduction
import joblib, resource
# Limit memory to safely observe OOM
resource.setrlimit(resource.RLIMIT_AS, (512*1024*1024, 512*1024*1024))
try:
joblib.load('malicious.joblib')
except MemoryError as e:
print(f"OOM confirmed: {e}")
Expected output:
OOM confirmed: Unable to allocate 3.73 GiB for an array with shape (500000000,) and data type float64
Root Cause
joblib/numpy_pickle.py:193:
array = unpickler.np.empty(count, dtype=self.dtype)
count is computed from self.shape which comes directly from deserialized file metadata.
No maximum allocation size check is performed before calling np.empty().
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support