CVE-2024-34997 Overview
CVE-2024-34997 is a deserialization vulnerability discovered in joblib version 1.4.2, a Python library widely used for lightweight pipelining and caching of function results. The vulnerability exists within the joblib.numpy_pickle::NumpyArrayWrapper().read_array() component, which could potentially allow an attacker to execute arbitrary code through maliciously crafted serialized data.
Note: This vulnerability is disputed by the supplier because NumpyArrayWrapper is only used during caching of trusted content. However, organizations should evaluate their risk based on how joblib is used within their environments.
Critical Impact
Insecure deserialization in joblib could allow remote code execution if an attacker can supply malicious cached data to a target system using the vulnerable NumpyArrayWrapper().read_array() function.
Affected Products
- joblib version 1.4.2 (Python package)
- Applications and machine learning pipelines utilizing joblib for caching
- Systems loading untrusted or externally-sourced cached pickle files
Discovery Timeline
- 2024-05-17 - CVE-2024-34997 published to NVD
- 2025-09-29 - Last updated in NVD database
Technical Details for CVE-2024-34997
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data), a well-known class of security weaknesses that can lead to severe consequences including remote code execution. The vulnerability is located in the NumpyArrayWrapper().read_array() method within joblib's numpy pickle handling code.
The attack requires network access with low privileges and high complexity to exploit. If successful, an attacker could achieve complete compromise of confidentiality, integrity, and availability of the target system. The primary concern is that deserialization vulnerabilities in Python pickle-based systems can be weaponized to instantiate arbitrary objects and execute code during the unpickling process.
The supplier disputes this CVE, arguing that NumpyArrayWrapper is specifically designed for internal caching operations where the cached content is inherently trusted. However, security researchers have raised concerns about scenarios where cached data might originate from untrusted sources or could be tampered with by an adversary.
Root Cause
The root cause is the inherent insecurity of Python's pickle serialization mechanism when handling untrusted data. The NumpyArrayWrapper class deserializes NumPy array data from cached files, and if an attacker can inject a malicious pickle payload into a cache file that is subsequently read by the vulnerable function, arbitrary code execution may be possible.
Python's pickle module documentation explicitly warns that "pickle is not secure. Only unpickle data you trust." The vulnerability arises when this fundamental assumption is violated—particularly in environments where cached data may be modified by external actors or loaded from untrusted network locations.
Attack Vector
The attack vector for this vulnerability is network-based, though exploitation complexity is high. An attacker would need to:
- Identify a target application using joblib for caching operations
- Gain the ability to inject or modify cached pickle files (e.g., through a shared cache directory, network file system, or by compromising a cache storage mechanism)
- Craft a malicious pickle payload that triggers code execution when deserialized by NumpyArrayWrapper().read_array()
- Wait for or trigger the victim application to load the poisoned cache file
The exploitation mechanism leverages Python's __reduce__ method or similar pickle gadgets to execute arbitrary commands during deserialization. Technical details and discussion can be found in GitHub Issue #1582 and GitHub Issue #977.
Detection Methods for CVE-2024-34997
Indicators of Compromise
- Unexpected modifications to joblib cache files or directories
- Anomalous process spawning from Python applications using joblib
- Suspicious network connections initiated by cached function execution
- Unusual file system access patterns in cache directories
Detection Strategies
- Monitor for file integrity changes in joblib cache directories
- Implement runtime application self-protection (RASP) to detect deserialization attacks
- Deploy endpoint detection rules for pickle-based exploitation patterns
- Audit Python applications for joblib usage with externally-sourced cache files
Monitoring Recommendations
- Enable detailed logging for applications utilizing joblib caching functionality
- Monitor for unexpected subprocess creation from Python processes
- Implement file integrity monitoring on cache storage locations
- Review access controls on shared cache directories and network file systems
How to Mitigate CVE-2024-34997
Immediate Actions Required
- Audit all applications using joblib to determine if cache files could originate from untrusted sources
- Ensure joblib cache directories have restrictive file system permissions
- Avoid loading cached data from network locations or shared directories accessible to untrusted parties
- Consider implementing cache file integrity verification mechanisms
Patch Information
As of the last update, the vulnerability remains disputed by the vendor. The supplier's position is that NumpyArrayWrapper is designed for trusted content caching scenarios. Organizations should monitor GitHub Issue #1582 for any updates or patches that may address this concern.
For environments where untrusted cache data is a risk, consider architectural changes to ensure all cached content originates from trusted sources only.
Workarounds
- Restrict cache storage to local directories with strict file permissions (mode 0700)
- Implement application-level validation of cache file sources before loading
- Use signed or encrypted cache files when cache data must traverse untrusted channels
- Consider alternative caching mechanisms for sensitive applications where cache provenance cannot be guaranteed
# Configuration example - Secure cache directory permissions
chmod 700 /path/to/joblib/cache
chown appuser:appuser /path/to/joblib/cache
# Verify no world-readable or group-writable permissions
ls -la /path/to/joblib/cache
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
