EUVD-2025-210303Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered malicious file (AV:N), reliable bypass once crafted (AC:L), no auth (PR:N), victim must load the file (UI:R), full code execution as user yields C/I/A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load().
AnalysisAI
Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing the idlelib.autocomplete.AutoComplete.get_entity function inside __reduce__ methods. Because picklescan does not flag this function as dangerous, malicious ML model files (e.g., PyTorch checkpoints) appear safe to scan but execute attacker commands the moment a victim calls pickle.load(). Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis in CISA KEV.
Technical ContextAI
picklescan is a Python scanner designed to identify dangerous opcodes and callables within pickle streams, primarily used to vet PyTorch and other ML model files before deserialization. The vulnerability is a classic CWE-502 (Deserialization of Untrusted Data) bypass: pickle's __reduce__ protocol allows a class to specify any callable to invoke at load time, and picklescan maintains an allow/deny list of callables it considers dangerous. The Python standard library's idlelib.autocomplete.AutoComplete.get_entity ultimately resolves to eval()-like behavior on an attacker-controlled string, but it was absent from picklescan's denylist, so a payload chaining it with a string like "__import__('os').system('whoami')" passes scanning and detonates on pickle.load().
RemediationAI
Vendor-released patch: upgrade picklescan to 0.0.29 or later (pip install --upgrade picklescan>=0.0.29), which adds idlelib.autocomplete.AutoComplete.get_entity to the dangerous-callables list per commit aecd11be98702caa9ba9b12189d91ad596a36114. Consult the advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6w4w-5w54-rjvr for details. If immediate upgrade is not possible, treat all unverified pickle/PyTorch files as untrusted and load them only with safer alternatives - prefer safetensors for model weights, use torch.load(..., weights_only=True) on PyTorch >=2.4 (rejects arbitrary callables but breaks models that rely on custom classes), or run pickle.load in a sandboxed/ephemeral container with no network and no secrets (adds operational complexity and latency). As a stopgap, you can extend picklescan's denylist with idlelib.autocomplete.AutoComplete.get_entity locally, accepting that other unknown bypass primitives may still exist.
More from same product – last 7 days
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Share
External POC / Exploit Code
Leaving vuln.today