Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered malicious file with no privileges but requiring the victim to load it (UI:R); arbitrary code execution gives C:H/I:H, with no direct availability impact and unchanged scope.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using trace.Trace.run in the reduce method to achieve arbitrary code execution when pickle.load processes the file.
AnalysisAI
Malicious pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle arbitrary code execution payloads past the scanner by abusing the built-in trace.Trace.run function inside a pickle's __reduce__ method. Because picklescan does not flag trace.Trace.run as a dangerous global, a crafted model/pickle file is reported as safe yet executes arbitrary code when later deserialized via pickle.load. No public exploit identified at time of analysis; this is a classic deny-list gap in a security scanner that defenders rely on to gate untrusted ML artifacts.
Technical ContextAI
picklescan is a Python security tool that statically inspects pickle (and pickle-based ML model) files for references to dangerous callables before they are unpickled, and is used in ML supply-chain workflows to screen untrusted models. Python's pickle format is inherently code-executing: the __reduce__ protocol lets an object specify a callable and arguments invoked at load time, which is the basis of CWE-502 (Deserialization of Untrusted Data). picklescan defends against this by matching imported globals against a blocklist of known-dangerous functions (os.system, eval, etc.). The root cause here is an incomplete blocklist: the standard-library trace.Trace.run callable, which executes a passed code/command string, was not enumerated as dangerous, so an attacker placing trace.Trace.run in the reduce tuple slips through undetected while still yielding execution on pickle.load. The CPE cpe:2.3:a:picklescan:picklescan:*:*:* confirms the affected component is picklescan itself across all versions prior to the fix.
RemediationAI
Vendor-released patch: upgrade picklescan to version 0.0.29 or later, which adds trace.Trace.run to the dangerous-globals detection set (see GHSA-5qwp-399c-mjwf and the VulnCheck advisory linked above). As a compensating control where immediate upgrade is not possible, do not treat a clean picklescan result from an old version as authoritative: avoid pickle.load on any untrusted or third-party model file, and prefer safer serialization formats such as safetensors for ML weights, which trade some flexibility for eliminating arbitrary-code execution. Additionally, unpickle untrusted artifacts only inside a sandboxed, network-restricted, least-privilege environment so that a bypass does not translate into host compromise; the trade-off is added pipeline complexity and the loss of pickle's convenience for arbitrary Python objects.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210385
GHSA-3cjr-683m-5fxh