Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious file delivered over network (AV:N) with no auth (PR:N) but needs the victim to scan-then-load it (UI:R); successful pickle code execution yields full host compromise (C/I/A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.34 fails to detect _operator.attrgetter function calls in pickle payloads, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using _operator.attrgetter in reduce methods to execute arbitrary code when pickle.load() processes the file.
AnalysisAI
Security-scanner detection bypass in picklescan before 0.0.34 lets attackers slip malicious pickle files past its checks by invoking _operator.attrgetter inside a reduce method, so a file the scanner reports as clean still executes arbitrary code when pickle.load() deserializes it. The flaw affects ML/AI supply-chain pipelines that rely on picklescan to vet untrusted model files. No public exploit identified at time of analysis; the issue was reported by VulnCheck and fixed in 0.0.34.
Technical ContextAI
picklescan is a Python static-analysis tool that inspects pickle serialization streams for dangerous global/reduce opcodes before a model is loaded, and is used across the ML ecosystem (e.g., Hugging Face model vetting). The root cause is CWE-502 (Deserialization of Untrusted Data) expressed as an incomplete denylist: picklescan enumerates known dangerous callables but omitted _operator.attrgetter, a stdlib factory that returns a callable retrieving named attributes. Because attrgetter can be chained to resolve arbitrary attributes/callables at unpickling time, an attacker can reach code-execution primitives that the scanner never flagged, defeating the very control meant to make pickle loading safe. The single affected package is identified by cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* for all versions prior to 0.0.34.
RemediationAI
Vendor-released patch: upgrade picklescan to version 0.0.34 or later, which adds detection for _operator.attrgetter, then re-scan any model files previously cleared by an older version. Until upgraded, do not treat picklescan output from vulnerable versions as authoritative: avoid loading pickle-format models from untrusted sources, and where possible switch model serialization to a non-executable format such as safetensors, which eliminates the pickle code-execution class entirely (trade-off: requires converting existing artifacts and only covers tensor weights). As a compensating control, run any required pickle loading inside a sandboxed/network-isolated, least-privilege environment so that a bypassed payload cannot reach sensitive resources (trade-off: added pipeline complexity and latency). See GHSA-46h3-79wf-xr6c and the VulnCheck advisory (https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-operator-attrgetter-detection-bypass) for confirmation.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210421
GHSA-j2vq-r4j3-cj5m