Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker-supplied file is network-delivered (AV:N) and simple to craft (AC:L), but code runs only when the victim scans and loads it (UI:R); full C/I compromise via code execution, no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.34 fails to detect the _operator.methodcaller built-in function when scanning pickle files for malicious code. Attackers can craft malicious pickle payloads using _operator.methodcaller that evade detection and execute arbitrary code when loaded by pickle.load().
AnalysisAI
Malicious code execution via scanner bypass affects picklescan before 0.0.34, a security tool used to vet pickle files for unsafe deserialization before loading ML model artifacts. The scanner fails to flag the _operator.methodcaller built-in, so an attacker can craft a pickle that passes picklescan's malware check yet executes arbitrary code the moment a victim calls pickle.load(). No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; the fix landed in version 0.0.34.
Technical ContextAI
picklescan is a Python library and CLI that statically inspects pickle opcodes to detect dangerous global/reduce references before deserialization, commonly deployed in ML supply-chain pipelines (e.g., scanning Hugging Face model files). The root cause is CWE-502 (Deserialization of Untrusted Data) compounded by an incomplete denylist: picklescan enumerates known-dangerous callables but omitted _operator.methodcaller from its unsafe-globals set. methodcaller returns a callable that invokes an arbitrary named method on its argument, which pickle's REDUCE machinery can chain into code execution. Because the affected component is the scanner itself (cpe:2.3:a:picklescan:picklescan:*), every version prior to 0.0.34 provides a false sense of safety rather than a direct vulnerability in a runtime service.
RemediationAI
Vendor-released patch: 0.0.34 - upgrade picklescan to 0.0.34 or later (e.g., pip install --upgrade 'picklescan>=0.0.34') so the scanner recognizes _operator.methodcaller as an unsafe global, per the GHSA-955r-x9j8-7rhh advisory. Because a scanner bypass is only exploitable if you actually load the file, the strongest compensating control is to avoid pickle for untrusted inputs entirely: prefer safetensors or another non-executable serialization format for ML weights, which eliminates the deserialization class rather than patching one bypass (trade-off: requires converting/re-exporting existing model artifacts). Where pickle is unavoidable, load untrusted files only inside a sandboxed, network-isolated, least-privilege process and treat any picklescan 'clean' result on a pre-0.0.34 version as untrustworthy; do not rely on scanning alone as your trust boundary until the upgrade is applied.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210425
GHSA-xgj3-g5r2-m8rf