Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered malicious artifact but AC:H and UI:R because the victim must load it in a torch environment relying on picklescan; PR:N as no auth is needed, and full RCE gives C/I/A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.28 fails to detect malicious pickle files that exploit torch._dynamo.guards.GuardBuilder.get function in reduce methods. Attackers can craft pickle files with embedded code that evades picklescan detection and executes arbitrary commands when loaded.
AnalysisAI
Detection bypass in picklescan before 0.0.28 lets attackers smuggle malicious pickle files past the scanner by abusing the torch._dynamo.guards.GuardBuilder.get gadget inside a __reduce__ method, so a file that picklescan reports as safe still executes arbitrary commands when deserialized (e.g. via torch.load). This undermines the security control that ML pipelines and model hubs rely on to vet untrusted model artifacts, turning a trusted-scan result into a false negative. Reported by VulnCheck with a vendor GHSA advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
The affected component (cpe:2.3:a:picklescan:picklescan) is a Python security scanner that statically inspects pickle opcode streams to flag dangerous callables before a model is deserialized. Python's pickle format (CWE-502, Deserialization of Untrusted Data) allows an object to define a __reduce__ method that returns a callable and arguments executed at load time; picklescan works by detecting known-dangerous callables in that stream. This flaw is a gadget-coverage gap: the torch._dynamo.guards.GuardBuilder.get function - part of PyTorch's Dynamo guard machinery - can be reached through a reduce method to obtain code execution, but picklescan's pre-0.0.28 detection logic did not recognize it as a dangerous import, so the crafted stream evades the allow/deny analysis. The actual code-execution primitive lives in PyTorch's deserialization path; picklescan's defect is failing to detect it.
RemediationAI
Vendor-released patch: upgrade picklescan to 0.0.28 or later, which adds detection for the torch._dynamo.guards.GuardBuilder.get gadget; see GHSA-86cj-95qr-2p4f (https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f) and the VulnCheck writeup (https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-torch-dynamo-guards-guardbuilder-get). Because the flaw is a scanner blind spot rather than a runtime bug, the strongest compensating control is to stop treating pickle scanning as a sufficient trust boundary: prefer non-executable model formats such as safetensors (trade-off: requires re-exporting or converting existing checkpoints), and load untrusted PyTorch checkpoints with weights_only=True where feasible (trade-off: fails on checkpoints that legitimately pickle non-tensor objects). Additionally, load only models from trusted, integrity-verified sources using signing or hash allowlists, and deserialize untrusted artifacts in a sandboxed or network-isolated environment so a successful reduce-method callback cannot reach sensitive systems (trade-off: added pipeline complexity and latency).
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210414
GHSA-chm9-4rm6-p4gf