Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered malicious file requires the victim to scan-and-load it (UI:R) with no auth (PR:N); successful unpickling yields arbitrary command execution, so full C/I/A.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.28 fails to detect malicious pickle files using torch.utils.collect_env.run function in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims.
AnalysisAI
Malicious-pickle detection bypass in picklescan before 0.0.28 lets attackers smuggle remote-code-execution payloads past the scanner by hiding them in a pickle reduce method that invokes torch.utils.collect_env.run, which picklescan's blocklist failed to flag. Because picklescan is the gatekeeper many ML pipelines rely on to vet untrusted models (notably scanning Hugging Face artifacts), a 'clean' verdict on a weaponized file directly leads to command execution when the victim deserializes it. Reported by VulnCheck with a fix in 0.0.28; no public exploit identified at time of analysis and not listed in CISA KEV.
Technical ContextAI
picklescan is a Python tool that statically inspects Python pickle files for dangerous opcodes and global references before they are loaded, acting as a safety check for ML model distribution formats (e.g., PyTorch .bin/.pt files, which embed pickles). The root cause is CWE-502 (Deserialization of Untrusted Data): Python's pickle executes a __reduce__/REDUCE callable on load, and picklescan maintains an allow/deny list of callables it considers dangerous. The torch.utils.collect_env.run helper - a thin wrapper that shells out to run system commands for environment diagnostics - was not on picklescan's dangerous-callable list, so a reduce method pointing at it slipped through scanning while still providing arbitrary command execution at unpickle time. The CPE cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* confirms the affected component is the picklescan package itself, not PyTorch; PyTorch is merely the source of the abused gadget function.
RemediationAI
Vendor-released patch: upgrade picklescan to 0.0.28 or later, which adds torch.utils.collect_env.run to the detected dangerous-callable set; pin this minimum in requirements/CI so older versions cannot be reintroduced (see https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f745-w6jp-hpxx). Because this is a scanner-evasion bug rather than a flaw in the model loader, do not treat a picklescan 'clean' result from a pre-0.0.28 version as trustworthy. Until upgraded, compensating controls: prefer loading models in safetensors format instead of pickle (eliminates arbitrary-callable execution entirely, but requires re-exporting models); load untrusted pickles only with weights_only=True on supported PyTorch versions (blocks arbitrary global execution, though it rejects checkpoints that legitimately need non-tensor objects); and sandbox deserialization in a network-isolated, least-privilege container so a successful bypass cannot reach internal systems (adds operational overhead). Avoid relying on a second signature-based scanner alone, since the same allowlist-gap class can recur.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210386
GHSA-px3v-38wh-q34v