Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered file but success needs the victim to scan-then-load a crafted model (UI:R) and depends on the specific unlisted gadget and PyTorch presence (AC:H); code execution yields C:H/I:H, no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.28 fails to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, allowing attackers to bypass safety checks. Remote attackers can embed undetected malicious code in pickle files that executes during deserialization, enabling remote code execution.
AnalysisAI
Safety-check bypass in picklescan before 0.0.28 allows attackers to smuggle malicious pickle files past the scanner by abusing torch.utils.data.datapipes.utils.decoder.basichandlers as a reduce gadget, so a payload the tool reports as clean still executes arbitrary code when the victim deserializes it. Because picklescan is a defensive scanner used to vet untrusted ML models (notably in Hugging Face workflows), this blind spot converts a trusted safety gate into a false sense of security. No public exploit identified at time of analysis, and it is not on CISA KEV; CVSS 4.0 base score is 7.6.
Technical ContextAI
picklescan statically inspects Python pickle streams to flag dangerous opcodes and imports that could trigger code execution during unpickling (CWE-502, Deserialization of Untrusted Data). Pickle's __reduce__ mechanism lets a serialized object specify a callable and arguments to run on load, which is the classic RCE primitive. The scanner maintains allow/deny lists of callables, and this flaw is a gap in that list: torch.utils.data.datapipes.utils.decoder.basichandlers - a PyTorch DataPipes decoder helper - was not recognized as an unsafe reduce target, so a crafted pickle routing execution through it evaded detection. The affected component is picklescan itself (cpe:2.3:a:picklescan:picklescan), the tool defenders rely on to gate untrusted PyTorch/ML model files.
RemediationAI
Upgrade picklescan to 0.0.28 or later, which adds detection for the torch.utils.data.datapipes.utils.decoder.basichandlers reduce gadget (Vendor-released patch: 0.0.28); see GHSA-h3qp-7fh3-f8h4 and the VulnCheck advisory for details. As a compensating control until upgraded, do not treat a picklescan 'clean' result as sufficient authorization to load a model: prefer loading models via safetensors instead of pickle to eliminate the deserialization primitive entirely, or restrict pickle loading to trusted publishers only. Where pickle loading is unavoidable, sandbox the deserialization process (isolated container, dropped privileges, no outbound network) so that any bypassed payload is contained - the trade-off is added pipeline complexity and latency. Avoid relying solely on scanner allowlists, since this CVE demonstrates that any single unlisted gadget defeats them.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210422
GHSA-gphx-c88f-73gw