Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote payload but exploitation needs the victim to scan with a vulnerable picklescan and then load the file, so AC:H and UI:R; successful unpickling yields full RCE, hence C:H/I:H/A:H with PR:N.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.29 fails to detect malicious pickle files using code.InteractiveInterpreter.runcode in reduce methods. Attackers can craft pickle payloads that bypass picklescan detection and execute arbitrary code when loaded via pickle.load().
AnalysisAI
Malicious-pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle weaponized pickle files past the scanner by abusing code.InteractiveInterpreter.runcode inside a __reduce__ method, leading to arbitrary code execution when the file is later deserialized with pickle.load(). picklescan is a security scanner specifically meant to flag dangerous pickles (e.g. in ML model files), so a gap in its blocklist directly defeats the control users rely on. Reported by VulnCheck with an assigned CVSS 4.0 score of 7.6; no public exploit and no CISA KEV listing identified at time of analysis.
Technical ContextAI
Python's pickle format is inherently unsafe: during unpickling, an object's __reduce__ method can return a callable and arguments that pickle will execute, which is the canonical CWE-502 (Deserialization of Untrusted Data) vector. picklescan defends against this by statically inspecting pickle opcodes/imports and blocklisting known dangerous callables before a file is trusted. The flaw is that its blocklist did not account for code.InteractiveInterpreter.runcode (from Python's standard code module), which can execute arbitrary Python passed to it. By routing payload execution through this unrecognized callable in a crafted __reduce__, an attacker produces a pickle that picklescan rates as clean but that runs code on load. The single affected component per CPE is cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:*.
RemediationAI
Vendor-released patch: 0.0.29 - upgrade picklescan to 0.0.29 or later (e.g. pip install --upgrade 'picklescan>=0.0.29') so the scanner recognizes the code.InteractiveInterpreter.runcode vector. Until upgraded, do not treat a clean picklescan result from an older version as authoritative; compensating controls include refusing to load pickles from untrusted sources, preferring safe serialization formats such as safetensors for ML model weights (trade-off: requires model re-export/conversion), and unpickling only inside a sandboxed/least-privilege process with no network or sensitive filesystem access (trade-off: added operational complexity). Review the GitHub advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cj3c-v495-4xqh and the VulnCheck advisory at https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-code-interactiveinterpreter-detection-bypass for authoritative guidance.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210391
GHSA-h96j-r2w4-m289