Closed tomMoral closed 3 days ago
Hi @tomMoral, thank you for your contribution. GHSA-rf65-fc2p-2gjv is unreviewed in our database and therefore, will not send out alerts. To get the CVE removed, please contact MITRE (the assigning CNA) with your concerns.
Updates
Comments
Here, the
NumpyArrayWrapper
is used internally to persist numpy arrays in the context of sharing objects between two processes/distributed experiments/caching. The same issue is present natively in thepickle
protocol, but it is used in this context, as the pickle is produced by the main process, which should have a secure connection with the worker processes. Forjoblib.load
there is a note stating it shouldnever be used to load files from untrusted sources
.So I think this security alert can be dropped.