Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered malicious file, no attacker privileges (PR:N), but victim must scan-then-load (UI:R); successful bypass yields arbitrary command execution, so C/I/A all High.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.30 fails to detect malicious pickle files that exploit lib2to3.pgen2.pgen.ParserGenerator.make_label function in the reduce method. Attackers can craft malicious pickle files with embedded code that evades detection but executes arbitrary commands when pickle.load() is called.
AnalysisAI
Detection bypass in picklescan before 0.0.30 lets attackers smuggle malicious pickle files past the scanner by abusing lib2to3.pgen2.pgen.ParserGenerator.make_label as a reduce callable, so a file that picklescan clears still runs arbitrary commands when downstream code calls pickle.load(). picklescan is the security control itself - a static scanner used to vet ML model artifacts - so this weakness undermines the exact protection teams rely on to catch unsafe pickles. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is documented in VulnCheck and vendor advisories.
Technical ContextAI
picklescan is a Python tool that statically inspects pickle opcode streams to flag dangerous globals/reduce callables before a model is deserialized, and is embedded in ML supply-chain workflows (notably around Hugging Face model loading). The root cause is CWE-502 (Deserialization of Untrusted Data): Python's pickle format permits arbitrary object reconstruction via the __reduce__ protocol, and picklescan maintains an allow/deny model of which callables are dangerous. Here the payload routes execution through lib2to3.pgen2.pgen.ParserGenerator.make_label - a function in the standard library's legacy 2to3 grammar-parsing machinery that was not on picklescan's malicious-callable list - so the malicious REDUCE reference evades the scanner's heuristics while remaining a live code path at unpickle time. The single CPE, cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:*, confirms the flaw is in picklescan itself, not in a consuming application.
RemediationAI
Vendor-released patch: upgrade picklescan to 0.0.30 or later, which adds detection for the lib2to3.pgen2.pgen.ParserGenerator.make_label bypass; pin the dependency to >=0.0.30 across CI, model-registry, and inference pipelines and rebuild any images that vendor an older copy. Consult the maintainer advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-p9w7-82w4-7q8m and the VulnCheck writeup at https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-lib2to3-pgen2-pgen-parsergenerator-make-label-detection-bypass for confirmation. Where immediate upgrade is not possible, do not treat a clean picklescan result as sufficient: prefer safetensors or other non-pickle formats for model weights (side effect: requires re-exporting models), load untrusted pickles only inside a network-isolated, least-privilege sandbox or container so a bypass yields no useful execution context (side effect: added deployment complexity), and restrict model ingestion to trusted/signed sources (side effect: slows onboarding of third-party models).
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210411
GHSA-8f67-79jr-8vpr