Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because exploitation depends on the victim routing an untrusted model through vulnerable picklescan and having torch importable; UI:R for the victim loading the file; full RCE gives C/I/A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.30 fails to detect malicious pickle files that invoke torch.utils.bottleneck.__main__.run_autograd_prof function. Attackers can embed undetected code in pickle files that executes during deserialization, enabling remote code execution.
AnalysisAI
Malicious-pickle detection bypass in picklescan before 0.0.30 allows attackers to smuggle undetected remote code execution payloads past the scanner by abusing the torch.utils.bottleneck.__main__.run_autograd_prof gadget, which was absent from picklescan's dangerous-import blocklist. Because picklescan is used as a security gate to vet untrusted ML model files, a false-negative here means a crafted model passes as safe and executes arbitrary code when subsequently deserialized. Reported by VulnCheck via GHSA-4whj-rm5r-c2v8; no public exploit identified at time of analysis, and it is not on CISA KEV.
Technical ContextAI
picklescan is a Python security tool that statically inspects Python pickle files (commonly PyTorch .bin/.pt model weights) for calls to known-dangerous callables before a user loads them. The weakness is CWE-502 (Deserialization of Untrusted Data) applied at the scanner layer: pickle's opcode stream can invoke arbitrary importable callables during unpickling, and picklescan relies on a blocklist of such callables. The torch.utils.bottleneck.__main__.run_autograd_prof function - part of PyTorch's bottleneck profiling utility - was not enumerated in that blocklist, so a REDUCE/GLOBAL opcode referencing it evaded detection. The only affected product per CPE is cpe:2.3:a:picklescan:picklescan (all versions before 0.0.30); the downstream impact lands on any host that unpickles the file, typically a PyTorch/ML pipeline.
RemediationAI
Upgrade picklescan to version 0.0.30 or later, which adds torch.utils.bottleneck.__main__.run_autograd_prof to its detection set (Vendor-released patch: 0.0.30); pin this minimum in requirements/lockfiles and rebuild any container images or CI/CD scanners that bundle the library. Follow the fix per GHSA-4whj-rm5r-c2v8 and the VulnCheck advisory linked above. Because this is a detection-bypass rather than a code-execution bug in picklescan itself, do not treat the scanner as a sole control: prefer loading models with a safe format (safetensors) instead of pickle, and where pickle is unavoidable, deserialize untrusted models only in a sandboxed, network-isolated, least-privilege environment. As a compensating control until upgrade, block or quarantine externally sourced .bin/.pt/.pkl model files and require provenance/signature verification of model artifacts - the trade-off is added friction ingesting third-party models from hubs.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210412
GHSA-vwrw-h95r-ch46