Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered malicious file with high confidentiality/integrity impact, but AC:H and UI:R because success depends on the victim relying on picklescan and then unpickling the file.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.28 fails to detect malicious torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function calls in pickle files. Attackers can embed undetected code in pickle files that executes remote code when loaded by victims.
AnalysisAI
Security scanner bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code past the tool's malware detection by abusing torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression, which is not on picklescan's dangerous-globals blocklist. Because picklescan is a defensive tool used to vet untrusted ML pickle files (notably in the Hugging Face ecosystem), a bypass causes a malicious model to be marked safe and then execute remote code when the victim deserializes it. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV, but the technique is fully described in the VulnCheck advisory.
Technical ContextAI
picklescan is a Python static-analysis utility that inspects Python pickle streams for references to dangerous callables (globals) before a user unpickles an untrusted file, a common defense for machine-learning model files (.pt/.bin/.pkl) that are natively pickle-serialized. CWE-502 (Deserialization of Untrusted Data) is the root class: Python's pickle can invoke arbitrary importable callables during load via REDUCE/GLOBAL opcodes. picklescan works from a denylist of known-dangerous functions, and this flaw is a denylist gap - torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression evaluates attacker-controllable expressions but was not recognized as dangerous, so pickles invoking it pass the scan yet still achieve code execution when loaded through PyTorch. The affected component is picklescan itself (cpe:2.3:a:picklescan:picklescan), not PyTorch; PyTorch is merely the vehicle supplying the abusable gadget.
RemediationAI
Upgrade picklescan to version 0.0.28 or later, which adds detection for the torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression gadget (Vendor-released patch: 0.0.28); see GHSA-f4x7-rfwp-v3xw. Because this is a denylist-completeness bug, treat picklescan's verdict as advisory rather than authoritative: where feasible, avoid loading untrusted pickles entirely and prefer non-executable serialization such as safetensors for model weights, which eliminates the deserialization code-execution class rather than merely scanning for it. As compensating controls until every scanning host is upgraded, unpickle untrusted files only inside a sandboxed/network-isolated process with least privilege so that a bypass yields no useful execution context, and quarantine or re-scan already-ingested models that passed an older picklescan version - the trade-off is added pipeline latency and, for safetensors migration, re-exporting existing model artifacts.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210415
GHSA-gpmh-464g-j3r8