Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/44392?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/44392?format=api", "purl": "pkg:pypi/picklescan@0.0.2", "type": "pypi", "namespace": "", "name": "picklescan", "version": "0.0.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.0.4", "latest_non_vulnerable_version": "1.0.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57084?format=api", "vulnerability_id": "VCID-1cj8-mnbu-6qdy", "summary": "Picklescan failed to detect to some unsafe global function in Numpy library\nAn unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited by import some built-in function in Numpy library that indrectly call some dangerous function like exec() to execute some python code as a parameter, which the attacker can import dangerous library inside like os library and execute arbitrary OS commands.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/advisories/GHSA-fj43-3qmq-673f", "reference_id": "GHSA-fj43-3qmq-673f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fj43-3qmq-673f" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fj43-3qmq-673f", "reference_id": "GHSA-fj43-3qmq-673f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fj43-3qmq-673f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45028?format=api", "purl": "pkg:pypi/picklescan@0.0.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.25" } ], "aliases": [ "GHSA-fj43-3qmq-673f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1cj8-mnbu-6qdy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49519?format=api", "vulnerability_id": "VCID-1ypz-maze-zqhh", "summary": "Picklescan vulnerable to Arbitrary File Writing\nPicklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-m273-6v24-x4m4", "reference_id": "GHSA-m273-6v24-x4m4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m273-6v24-x4m4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4", "reference_id": "GHSA-m273-6v24-x4m4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-m273-6v24-x4m4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1ypz-maze-zqhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37110?format=api", "vulnerability_id": "VCID-2syv-syp1-6yhk", "summary": "An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10155", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22184", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10155" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:03:48Z/" } ], "url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:03:48Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155", "reference_id": "CVE-2025-10155", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155" }, { "reference_url": "https://github.com/advisories/GHSA-jgw4-cr84-mqxg", "reference_id": "GHSA-jgw4-cr84-mqxg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jgw4-cr84-mqxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46352?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "CVE-2025-10155", "GHSA-jgw4-cr84-mqxg", "PYSEC-2025-151" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2syv-syp1-6yhk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49521?format=api", "vulnerability_id": "VCID-2v14-5pc3-zuez", "summary": "Picklescan missing detection when calling numpy.f2py.crackfortran.getlincoef\nAn unsafe deserialization vulnerability allows an attacker to execute arbitrary code on the host when loading a malicious pickle payload from an untrusted source.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-r8g5-cgf2-4m4m", "reference_id": "GHSA-r8g5-cgf2-4m4m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r8g5-cgf2-4m4m" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-r8g5-cgf2-4m4m", "reference_id": "GHSA-r8g5-cgf2-4m4m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-r8g5-cgf2-4m4m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-r8g5-cgf2-4m4m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2v14-5pc3-zuez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57952?format=api", "vulnerability_id": "VCID-42d3-nspa-zqes", "summary": "Picklescan missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_cprofile\nUsing torch.utils.bottleneck.__main__.run_cprofile\nfunction, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/advisories/GHSA-4r9r-ch6f-vxmx", "reference_id": "GHSA-4r9r-ch6f-vxmx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4r9r-ch6f-vxmx" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4r9r-ch6f-vxmx", "reference_id": "GHSA-4r9r-ch6f-vxmx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4r9r-ch6f-vxmx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46349?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-4r9r-ch6f-vxmx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-42d3-nspa-zqes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47793?format=api", "vulnerability_id": "VCID-5rme-ypaf-67cc", "summary": "Duplicate Advisory: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.\n\n### Original Description\nAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg" }, { "reference_url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true" }, { "reference_url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156", "reference_id": "CVE-2025-10156", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156" }, { "reference_url": "https://github.com/advisories/GHSA-4vr7-g93g-cf6m", "reference_id": "GHSA-4vr7-g93g-cf6m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4vr7-g93g-cf6m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46352?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "GHSA-4vr7-g93g-cf6m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5rme-ypaf-67cc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57984?format=api", "vulnerability_id": "VCID-6ye8-sf3d-zfbg", "summary": "Picklescan has a missing detection when calling built-in python trace.Trace.run\nUsing trace.Trace.run, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-5qwp-399c-mjwf", "reference_id": "GHSA-5qwp-399c-mjwf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5qwp-399c-mjwf" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-5qwp-399c-mjwf", "reference_id": "GHSA-5qwp-399c-mjwf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-5qwp-399c-mjwf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-5qwp-399c-mjwf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ye8-sf3d-zfbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57997?format=api", "vulnerability_id": "VCID-76yk-3zr4-87bh", "summary": "Picklescan has a missing detection when calling built-in python profile.Profile.run\nUsing profile.Profile.run, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-x696-vm39-cp64", "reference_id": "GHSA-x696-vm39-cp64", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x696-vm39-cp64" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x696-vm39-cp64", "reference_id": "GHSA-x696-vm39-cp64", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x696-vm39-cp64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-x696-vm39-cp64" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-76yk-3zr4-87bh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49522?format=api", "vulnerability_id": "VCID-8msh-r19k-juhx", "summary": "Picklescan does not block ctypes\nPicklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to\n* Load DLLs\n* Call C functions directly\n* Manipulate memory raw pointers.\n\nThis can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.\n\nThis is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-4675-36f9-wf6r", "reference_id": "GHSA-4675-36f9-wf6r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4675-36f9-wf6r" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r", "reference_id": "GHSA-4675-36f9-wf6r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-4675-36f9-wf6r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8msh-r19k-juhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49523?format=api", "vulnerability_id": "VCID-8vsp-nth6-cubp", "summary": "Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval\nPicklescan uses numpy.f2py.crackfortran.myeval, which is a function in numpy to execute remote pickle files.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/advisories/GHSA-3329-ghmp-jmv5", "reference_id": "GHSA-3329-ghmp-jmv5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3329-ghmp-jmv5" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3329-ghmp-jmv5", "reference_id": "GHSA-3329-ghmp-jmv5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3329-ghmp-jmv5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-3329-ghmp-jmv5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8vsp-nth6-cubp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57999?format=api", "vulnerability_id": "VCID-9f46-wx2v-qfgv", "summary": "Picklescan has a missing detection when calling built-in python trace.Trace.runctx\nUsing trace.Trace.runctx, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-g344-hcph-8vgg", "reference_id": "GHSA-g344-hcph-8vgg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g344-hcph-8vgg" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g344-hcph-8vgg", "reference_id": "GHSA-g344-hcph-8vgg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g344-hcph-8vgg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-g344-hcph-8vgg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9f46-wx2v-qfgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49639?format=api", "vulnerability_id": "VCID-afab-1ggb-8faa", "summary": "picklescan has Arbitrary file read using `io.FileIO`\nUnsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/55", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/55" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35" }, { "reference_url": "https://github.com/advisories/GHSA-9726-w42j-3qjr", "reference_id": "GHSA-9726-w42j-3qjr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9726-w42j-3qjr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr", "reference_id": "GHSA-9726-w42j-3qjr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73280?format=api", "purl": "pkg:pypi/picklescan@0.0.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.35" } ], "aliases": [ "GHSA-9726-w42j-3qjr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-afab-1ggb-8faa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36986?format=api", "vulnerability_id": "VCID-ag3v-g92v-kbde", "summary": "picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00871", "scoring_system": "epss", "scoring_elements": "0.75595", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1945" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:04:32Z/" } ], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:04:32Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-21.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-21.yaml" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1945", "reference_id": "cve-2025-1945", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:04:32Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1945" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945", "reference_id": "CVE-2025-1945", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945" }, { "reference_url": "https://github.com/advisories/GHSA-w8jq-xcqf-f792", "reference_id": "GHSA-w8jq-xcqf-f792", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w8jq-xcqf-f792" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44604?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cj8-mnbu-6qdy" }, { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-jfcq-vpg2-pkdn" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-uzp8-p94w-5fem" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "CVE-2025-1945", "GHSA-w8jq-xcqf-f792", "PYSEC-2025-21" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ag3v-g92v-kbde" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37111?format=api", "vulnerability_id": "VCID-auku-kbg2-2ybg", "summary": "An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10156", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01284", "scoring_system": "epss", "scoring_elements": "0.79975", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10156" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg" }, { "reference_url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true" }, { "reference_url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156", "reference_id": "CVE-2025-10156", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156" }, { "reference_url": "https://github.com/advisories/GHSA-mjqp-26hc-grxg", "reference_id": "GHSA-mjqp-26hc-grxg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mjqp-26hc-grxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46352?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "CVE-2025-10156", "GHSA-mjqp-26hc-grxg", "PYSEC-2025-152" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-auku-kbg2-2ybg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37112?format=api", "vulnerability_id": "VCID-avk4-jaz6-m3gw", "summary": "A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10157", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.5028", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10157" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:07:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/50", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/50" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:07:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr" }, { "reference_url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:07:29Z/" } ], "url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157", "reference_id": "CVE-2025-10157", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157" }, { "reference_url": "https://github.com/advisories/GHSA-f7qq-56ww-84cr", "reference_id": "GHSA-f7qq-56ww-84cr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f7qq-56ww-84cr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46352?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "CVE-2025-10157", "GHSA-f7qq-56ww-84cr", "PYSEC-2025-153" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-avk4-jaz6-m3gw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57934?format=api", "vulnerability_id": "VCID-b5vc-gbs8-euah", "summary": "Picklescan missing detection when calling pytorch function torch.utils.collect_env.run\nUsing torch.utils.collect_env.run function, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/advisories/GHSA-f745-w6jp-hpxx", "reference_id": "GHSA-f745-w6jp-hpxx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f745-w6jp-hpxx" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f745-w6jp-hpxx", "reference_id": "GHSA-f745-w6jp-hpxx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f745-w6jp-hpxx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46349?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-f745-w6jp-hpxx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b5vc-gbs8-euah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58001?format=api", "vulnerability_id": "VCID-b7jy-k4ur-bffk", "summary": "Picklescan is missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_autograd_prof\nUsing torch.utils.bottleneck.\\_\\_main\\_\\_.run_autograd_prof function, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-4whj-rm5r-c2v8", "reference_id": "GHSA-4whj-rm5r-c2v8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4whj-rm5r-c2v8" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4whj-rm5r-c2v8", "reference_id": "GHSA-4whj-rm5r-c2v8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4whj-rm5r-c2v8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-4whj-rm5r-c2v8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b7jy-k4ur-bffk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47806?format=api", "vulnerability_id": "VCID-c27r-8kjg-tyeu", "summary": "Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references.\n\n### Original Description\nA Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr" }, { "reference_url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157", "reference_id": "CVE-2025-10157", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157" }, { "reference_url": "https://github.com/advisories/GHSA-hf6h-9wq7-hmjg", "reference_id": "GHSA-hf6h-9wq7-hmjg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hf6h-9wq7-hmjg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46352?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "GHSA-hf6h-9wq7-hmjg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c27r-8kjg-tyeu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57998?format=api", "vulnerability_id": "VCID-c7w5-grfx-j7fr", "summary": "Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand\nUsing idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-j343-8v2j-ff7w", "reference_id": "GHSA-j343-8v2j-ff7w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j343-8v2j-ff7w" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-j343-8v2j-ff7w", "reference_id": "GHSA-j343-8v2j-ff7w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-j343-8v2j-ff7w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-j343-8v2j-ff7w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c7w5-grfx-j7fr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50596?format=api", "vulnerability_id": "VCID-dz86-5sqp-m3gj", "summary": "PickleScan has multiple stdlib modules with direct RCE not in blocklist\npicklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/advisories/GHSA-g38g-8gr9-h9xp", "reference_id": "GHSA-g38g-8gr9-h9xp", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g38g-8gr9-h9xp" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp", "reference_id": "GHSA-g38g-8gr9-h9xp", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74402?format=api", "purl": "pkg:pypi/picklescan@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4" } ], "aliases": [ "GHSA-g38g-8gr9-h9xp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dz86-5sqp-m3gj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57944?format=api", "vulnerability_id": "VCID-dzje-5de9-bfb4", "summary": "Picklescan missing detection when calling pytorch function torch.utils.data.datapipes.utils.decoder.basichandlers\nUsing torch.utils.data.datapipes.utils.decoder.basichandlers function, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/advisories/GHSA-h3qp-7fh3-f8h4", "reference_id": "GHSA-h3qp-7fh3-f8h4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h3qp-7fh3-f8h4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-h3qp-7fh3-f8h4", "reference_id": "GHSA-h3qp-7fh3-f8h4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-h3qp-7fh3-f8h4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46349?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-h3qp-7fh3-f8h4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dzje-5de9-bfb4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49518?format=api", "vulnerability_id": "VCID-e8b8-zuq1-5fb5", "summary": "Picklescan Bypasses Unsafe Globals Check using pty.spawn\nThe vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the `pty` library (more specifically, of the `pty.spawn` function) from PickleScan's list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-hgrh-qx5j-jfwx", "reference_id": "GHSA-hgrh-qx5j-jfwx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hgrh-qx5j-jfwx" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx", "reference_id": "GHSA-hgrh-qx5j-jfwx", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-hgrh-qx5j-jfwx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e8b8-zuq1-5fb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57989?format=api", "vulnerability_id": "VCID-efmk-gy96-13bq", "summary": "Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label\nUsing lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-p9w7-82w4-7q8m", "reference_id": "GHSA-p9w7-82w4-7q8m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p9w7-82w4-7q8m" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-p9w7-82w4-7q8m", "reference_id": "GHSA-p9w7-82w4-7q8m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-p9w7-82w4-7q8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-p9w7-82w4-7q8m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-efmk-gy96-13bq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49517?format=api", "vulnerability_id": "VCID-fa6r-jn3y-4yfb", "summary": "Picklescan has Incomplete List of Disallowed Inputs\nCurrently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly\n* pydoc.locate: Can dynamically resolve and import arbitrary modules (e.g., resolving the string \"os\" to the actual os module).\n* operator.methodcaller: Allows executing a method on an object. When combined with a resolved module object, it can execute functions like system.\n\nSince locate and methodcaller are not explicitly listed in the deny-list, picklescan treats them as \"Safe\" or \"Suspicious\" (depending on configuration) but does not flag them as \"Dangerous\", allowing the malicious file to bypass the security check.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-84r2-jw7c-4r5q", "reference_id": "GHSA-84r2-jw7c-4r5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-84r2-jw7c-4r5q" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q", "reference_id": "GHSA-84r2-jw7c-4r5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-84r2-jw7c-4r5q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fa6r-jn3y-4yfb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57953?format=api", "vulnerability_id": "VCID-fdpc-mh9w-xqaz", "summary": "Picklescan missing detection when calling pytorch function torch.jit.unsupported_tensor_ops.execWrapper\nUsing torch.jit.unsupported_tensor_ops.execWrapper function, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/advisories/GHSA-vr7h-p6mm-wpmh", "reference_id": "GHSA-vr7h-p6mm-wpmh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vr7h-p6mm-wpmh" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vr7h-p6mm-wpmh", "reference_id": "GHSA-vr7h-p6mm-wpmh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vr7h-p6mm-wpmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46349?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-vr7h-p6mm-wpmh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fdpc-mh9w-xqaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50643?format=api", "vulnerability_id": "VCID-ffv8-d2fk-tubb", "summary": "PickleScan's pkgutil.resolve_name has a universal blocklist bypass\n`pkgutil.resolve_name()` is a Python stdlib function that resolves any `\"module:attribute\"` string to the corresponding Python object at runtime. By using `pkgutil.resolve_name` as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function (e.g., `os.system`, `builtins.exec`, `subprocess.call`) without that function appearing in the pickle's opcodes. picklescan only sees `pkgutil.resolve_name` (which is not blocked) and misses the actual dangerous function entirely.\n\nThis defeats picklescan's **entire blocklist concept** — every single entry in `_unsafe_globals` can be bypassed.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/advisories/GHSA-vvpj-8cmc-gx39", "reference_id": "GHSA-vvpj-8cmc-gx39", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vvpj-8cmc-gx39" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39", "reference_id": "GHSA-vvpj-8cmc-gx39", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74402?format=api", "purl": "pkg:pypi/picklescan@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4" } ], "aliases": [ "GHSA-vvpj-8cmc-gx39" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ffv8-d2fk-tubb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57985?format=api", "vulnerability_id": "VCID-g4fb-k4w9-tbd8", "summary": "Picklescan is missing detection when calling built-in python cProfile.run\nUsing cProfile.run function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-49gj-c84q-6qm9", "reference_id": "GHSA-49gj-c84q-6qm9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-49gj-c84q-6qm9" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-49gj-c84q-6qm9", "reference_id": "GHSA-49gj-c84q-6qm9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-49gj-c84q-6qm9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-49gj-c84q-6qm9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g4fb-k4w9-tbd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49516?format=api", "vulnerability_id": "VCID-gww1-x3je-q7a2", "summary": "Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval\nPicklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-cffc-mxrf-mhh4", "reference_id": "GHSA-cffc-mxrf-mhh4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cffc-mxrf-mhh4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4", "reference_id": "GHSA-cffc-mxrf-mhh4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-cffc-mxrf-mhh4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gww1-x3je-q7a2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56776?format=api", "vulnerability_id": "VCID-gzb2-5ekw-rqg6", "summary": "Duplicate Advisory: Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-w8jq-xcqf-f792. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945", "reference_id": "CVE-2025-1945", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945" }, { "reference_url": "https://github.com/advisories/GHSA-2fh4-gpch-vqv4", "reference_id": "GHSA-2fh4-gpch-vqv4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2fh4-gpch-vqv4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44604?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cj8-mnbu-6qdy" }, { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-jfcq-vpg2-pkdn" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-uzp8-p94w-5fem" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "GHSA-2fh4-gpch-vqv4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gzb2-5ekw-rqg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49924?format=api", "vulnerability_id": "VCID-h67b-5y6y-xffd", "summary": "picklescan vulnerable to arbitrary file create using logging.FileHandler\nUnsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/4d9bc9cd34bca8672dad3481cd4556d5ba747156", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/4d9bc9cd34bca8672dad3481cd4556d5ba747156" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/60", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/60" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1" }, { "reference_url": "https://github.com/advisories/GHSA-m7j5-r2p5-c39r", "reference_id": "GHSA-m7j5-r2p5-c39r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m7j5-r2p5-c39r" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m7j5-r2p5-c39r", "reference_id": "GHSA-m7j5-r2p5-c39r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m7j5-r2p5-c39r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73778?format=api", "purl": "pkg:pypi/picklescan@1.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.1" } ], "aliases": [ "GHSA-m7j5-r2p5-c39r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h67b-5y6y-xffd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49541?format=api", "vulnerability_id": "VCID-h8bj-dvqr-kfet", "summary": "Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length\nPicklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-6556-fwc2-fg2p", "reference_id": "GHSA-6556-fwc2-fg2p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6556-fwc2-fg2p" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p", "reference_id": "GHSA-6556-fwc2-fg2p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-6556-fwc2-fg2p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h8bj-dvqr-kfet" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57940?format=api", "vulnerability_id": "VCID-hj58-pnq5-xybx", "summary": "Picklescan missing detection when calling pytorch function torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\nUsing torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/advisories/GHSA-f4x7-rfwp-v3xw", "reference_id": "GHSA-f4x7-rfwp-v3xw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f4x7-rfwp-v3xw" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f4x7-rfwp-v3xw", "reference_id": "GHSA-f4x7-rfwp-v3xw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f4x7-rfwp-v3xw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46349?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-f4x7-rfwp-v3xw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hj58-pnq5-xybx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57991?format=api", "vulnerability_id": "VCID-hukw-x64j-pkhw", "summary": "Picklescan has a missing detection when calling built-in python profile.Profile.runctx\nUsing profile.Profile.runctx, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-6vqj-c2q5-j97w", "reference_id": "GHSA-6vqj-c2q5-j97w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6vqj-c2q5-j97w" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6vqj-c2q5-j97w", "reference_id": "GHSA-6vqj-c2q5-j97w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6vqj-c2q5-j97w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-6vqj-c2q5-j97w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hukw-x64j-pkhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57993?format=api", "vulnerability_id": "VCID-j1w8-qg73-1qc3", "summary": "Picklescan has a missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem\nUsing idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-3vg9-h568-4w9m", "reference_id": "GHSA-3vg9-h568-4w9m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3vg9-h568-4w9m" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3vg9-h568-4w9m", "reference_id": "GHSA-3vg9-h568-4w9m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3vg9-h568-4w9m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-3vg9-h568-4w9m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j1w8-qg73-1qc3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57982?format=api", "vulnerability_id": "VCID-jcan-amh5-mkcm", "summary": "Picklescan has a missing detection when calling built-in python library idlelib.calltip.get_entity\nUsing idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-9xph-j2h6-g47v", "reference_id": "GHSA-9xph-j2h6-g47v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9xph-j2h6-g47v" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9xph-j2h6-g47v", "reference_id": "GHSA-9xph-j2h6-g47v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9xph-j2h6-g47v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-9xph-j2h6-g47v" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jcan-amh5-mkcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37050?format=api", "vulnerability_id": "VCID-jfcq-vpg2-pkdn", "summary": "The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00332", "scoring_system": "epss", "scoring_elements": "0.56394", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46417" }, { "reference_url": "https://github.com/advisories/GHSA-93mv-x874-956g", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T14:50:58Z/" } ], "url": "https://github.com/advisories/GHSA-93mv-x874-956g" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/40", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T14:50:58Z/" } ], "url": "https://github.com/mmaitre314/picklescan/pull/40" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-34.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-34.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417", "reference_id": "CVE-2025-46417", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-93mv-x874-956g", "reference_id": "GHSA-93mv-x874-956g", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-93mv-x874-956g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45028?format=api", "purl": "pkg:pypi/picklescan@0.0.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.25" } ], "aliases": [ "CVE-2025-46417", "GHSA-93mv-x874-956g", "PYSEC-2025-34" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jfcq-vpg2-pkdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57180?format=api", "vulnerability_id": "VCID-m2a1-ptv8-yueh", "summary": "Duplicate Advisory: Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate\n# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-93mv-x874-956g. This link is maintained to preserve external references.\n\n# Original Description\n\nThe unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-93mv-x874-956g", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93mv-x874-956g" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/40", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/40" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417", "reference_id": "CVE-2025-46417", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417" }, { "reference_url": "https://github.com/advisories/GHSA-4p4h-9gvq-7xfg", "reference_id": "GHSA-4p4h-9gvq-7xfg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4p4h-9gvq-7xfg" } ], "fixed_packages": [], "aliases": [ "GHSA-4p4h-9gvq-7xfg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m2a1-ptv8-yueh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57987?format=api", "vulnerability_id": "VCID-m2cs-gnrv-rqek", "summary": "Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.get_entity\nUsing idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-6w4w-5w54-rjvr", "reference_id": "GHSA-6w4w-5w54-rjvr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6w4w-5w54-rjvr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6w4w-5w54-rjvr", "reference_id": "GHSA-6w4w-5w54-rjvr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6w4w-5w54-rjvr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-6w4w-5w54-rjvr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m2cs-gnrv-rqek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50201?format=api", "vulnerability_id": "VCID-mhm6-27cp-1yhr", "summary": "Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER\nThis is a scanning bypass to `scan_pytorch` function in `picklescan`. As we can see in the implementation of [get_magic_number()](https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/torch.py#L76C5-L84) that uses `pickletools.genops(data)` to get the `magic_number` with the condition `opcode.name` includes `INT` or `LONG`, but the PyTorch's implemtation simply uses [pickle_module.load()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1797) to get this `magic_number`. For this implementation difference, we then can embed the `magic_code` into the `PyTorch` file via dynamic `eval` on the `\\_\\_reduce\\_\\_` trick, which can make the `pickletools.genops(data)` cannot get the `magic_code` in `INT` or `LONG` type, but the `pickle_module.load()` can still return the same `magic_code`, eading to a bypass.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/b9997634683a4f4bd0c7e3701e7ce7e90fe70e8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/b9997634683a4f4bd0c7e3701e7ce7e90fe70e8c" }, { "reference_url": "https://github.com/advisories/GHSA-97f8-7cmv-76j2", "reference_id": "GHSA-97f8-7cmv-76j2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-97f8-7cmv-76j2" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-97f8-7cmv-76j2", "reference_id": "GHSA-97f8-7cmv-76j2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-97f8-7cmv-76j2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74108?format=api", "purl": "pkg:pypi/picklescan@1.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.3" } ], "aliases": [ "GHSA-97f8-7cmv-76j2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mhm6-27cp-1yhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58006?format=api", "vulnerability_id": "VCID-mkc8-71mt-ybfs", "summary": "Picklescan is missing detection when calling built-in python cProfile.runctx\nUsing cProfile.runctx function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-9w88-8rmg-7g2p", "reference_id": "GHSA-9w88-8rmg-7g2p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9w88-8rmg-7g2p" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p", "reference_id": "GHSA-9w88-8rmg-7g2p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-9w88-8rmg-7g2p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mkc8-71mt-ybfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49540?format=api", "vulnerability_id": "VCID-mp69-7jdd-8yhe", "summary": "Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter\nPicklescan uses _operator.attrgetter, which is a built-in python library function to execute remote pickle files.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34" }, { "reference_url": "https://github.com/advisories/GHSA-46h3-79wf-xr6c", "reference_id": "GHSA-46h3-79wf-xr6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-46h3-79wf-xr6c" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-46h3-79wf-xr6c", "reference_id": "GHSA-46h3-79wf-xr6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-46h3-79wf-xr6c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73134?format=api", "purl": "pkg:pypi/picklescan@0.0.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.34" } ], "aliases": [ "GHSA-46h3-79wf-xr6c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mp69-7jdd-8yhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57995?format=api", "vulnerability_id": "VCID-n2pc-xd2g-zudu", "summary": "Picklescan has a missing detection when calling built-in python code.InteractiveInterpreter\nUsing code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-cj3c-v495-4xqh", "reference_id": "GHSA-cj3c-v495-4xqh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cj3c-v495-4xqh" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cj3c-v495-4xqh", "reference_id": "GHSA-cj3c-v495-4xqh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cj3c-v495-4xqh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-cj3c-v495-4xqh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n2pc-xd2g-zudu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56737?format=api", "vulnerability_id": "VCID-na53-h312-2qgm", "summary": "Duplicate Advisory: Remote Code Execution via Malicious Pickle File Bypassing Static Analysis\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716", "reference_id": "CVE-2025-1716", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716" }, { "reference_url": "https://github.com/advisories/GHSA-vr75-hjh9-7fr6", "reference_id": "GHSA-vr75-hjh9-7fr6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vr75-hjh9-7fr6" } ], "fixed_packages": [], "aliases": [ "GHSA-vr75-hjh9-7fr6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-na53-h312-2qgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36978?format=api", "vulnerability_id": "VCID-nvvk-8a8j-43gw", "summary": "picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.16248", "scoring_system": "epss", "scoring_elements": "0.94951", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1716" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.1803", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1889" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T15:49:26Z/" } ], "url": "https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T15:49:26Z/" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-03T20:06:20Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-18.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-18.yaml" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1716", "reference_id": "cve-2025-1716", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T15:49:26Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1716" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716", "reference_id": "CVE-2025-1716", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1889", "reference_id": "cve-2025-1889", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-03T20:06:20Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1889" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889", "reference_id": "CVE-2025-1889", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889" }, { "reference_url": "https://github.com/advisories/GHSA-655q-fx9r-782v", "reference_id": "GHSA-655q-fx9r-782v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://github.com/advisories/GHSA-769v-p64c-89pr", "reference_id": "GHSA-769v-p64c-89pr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-769v-p64c-89pr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr", "reference_id": "GHSA-769v-p64c-89pr", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44411?format=api", "purl": "pkg:pypi/picklescan@0.0.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cj8-mnbu-6qdy" }, { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-ag3v-g92v-kbde" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-gzb2-5ekw-rqg6" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-jfcq-vpg2-pkdn" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-na53-h312-2qgm" }, { "vulnerability": "VCID-nvvk-8a8j-43gw" }, { "vulnerability": "VCID-p25w-vsm8-nbdp" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-uzp8-p94w-5fem" }, { "vulnerability": "VCID-v1nk-1s8p-kya1" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-w2h9-74te-tqhc" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/44475?format=api", "purl": "pkg:pypi/picklescan@0.0.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cj8-mnbu-6qdy" }, { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-ag3v-g92v-kbde" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-gzb2-5ekw-rqg6" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-jfcq-vpg2-pkdn" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-uzp8-p94w-5fem" }, { "vulnerability": "VCID-v1nk-1s8p-kya1" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-w2h9-74te-tqhc" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.22" } ], "aliases": [ "CVE-2025-1716", "CVE-2025-1889", "GHSA-655q-fx9r-782v", "GHSA-769v-p64c-89pr", "PYSEC-2025-18", "PYSEC-2025-19" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nvvk-8a8j-43gw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56732?format=api", "vulnerability_id": "VCID-p25w-vsm8-nbdp", "summary": "Duplicate Advisory: Picklescan Allows Remote Code Execution via Malicious Pickle File Bypassing Static Analysis\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-769v-p64c-89pr. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889", "reference_id": "CVE-2025-1889", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889" }, { "reference_url": "https://github.com/advisories/GHSA-hw34-rqc5-h2gm", "reference_id": "GHSA-hw34-rqc5-h2gm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hw34-rqc5-h2gm" } ], "fixed_packages": [], "aliases": [ "GHSA-hw34-rqc5-h2gm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p25w-vsm8-nbdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57826?format=api", "vulnerability_id": "VCID-pg7f-wjk7-2qgm", "summary": "Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass\nDetection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/58983e1c20973ac42f2df7ff15d7c8cd32f9b688", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/58983e1c20973ac42f2df7ff15d7c8cd32f9b688" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.27", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.27" }, { "reference_url": "https://github.com/advisories/GHSA-9gvj-pp9x-gcfr", "reference_id": "GHSA-9gvj-pp9x-gcfr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9gvj-pp9x-gcfr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfr", "reference_id": "GHSA-9gvj-pp9x-gcfr", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46348?format=api", "purl": "pkg:pypi/picklescan@0.0.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.27" } ], "aliases": [ "GHSA-9gvj-pp9x-gcfr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pg7f-wjk7-2qgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58005?format=api", "vulnerability_id": "VCID-ph9u-h8dq-mfen", "summary": "Picklescan has a missing detection when calling built-in python lib2to3.pgen2.grammar.Grammar.loads\nUsing lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-f54q-57x4-jg88", "reference_id": "GHSA-f54q-57x4-jg88", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f54q-57x4-jg88" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f54q-57x4-jg88", "reference_id": "GHSA-f54q-57x4-jg88", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f54q-57x4-jg88" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-f54q-57x4-jg88" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ph9u-h8dq-mfen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49515?format=api", "vulnerability_id": "VCID-qy4e-nf4v-kfc2", "summary": "Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller\nPicklescan uses `operator.methodcaller`, which is a built-in python library function to execute remote pickle files.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/advisories/GHSA-x843-g5mx-g377", "reference_id": "GHSA-x843-g5mx-g377", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x843-g5mx-g377" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x843-g5mx-g377", "reference_id": "GHSA-x843-g5mx-g377", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x843-g5mx-g377" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-x843-g5mx-g377" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qy4e-nf4v-kfc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49943?format=api", "vulnerability_id": "VCID-r3gk-x182-juf5", "summary": "picklescan missing detection by simple obfuscation of a `builtins.eval` call\nAn unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/173c8f2a869ea9b69b543477525ec70611c3c6f4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/173c8f2a869ea9b69b543477525ec70611c3c6f4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/59", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/59" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1" }, { "reference_url": "https://github.com/advisories/GHSA-9m3x-qqw2-h32h", "reference_id": "GHSA-9m3x-qqw2-h32h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9m3x-qqw2-h32h" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32h", "reference_id": "GHSA-9m3x-qqw2-h32h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73778?format=api", "purl": "pkg:pypi/picklescan@1.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.1" } ], "aliases": [ "GHSA-9m3x-qqw2-h32h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r3gk-x182-juf5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49528?format=api", "vulnerability_id": "VCID-ray2-m9fg-5kgz", "summary": "Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef\nPicklescan uses the `numpy.f2py.crackfortran.getlincoef` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-rrxm-2pvv-m66x", "reference_id": "GHSA-rrxm-2pvv-m66x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rrxm-2pvv-m66x" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x", "reference_id": "GHSA-rrxm-2pvv-m66x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-rrxm-2pvv-m66x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ray2-m9fg-5kgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47801?format=api", "vulnerability_id": "VCID-rsm5-cnha-hbc2", "summary": "Duplicate Advisory: Picklescan Bypass is Possible via File Extension Mismatch\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-jgw4-cr84-mqxg. This link is maintained to preserve external references.\n\n### Original Description\nAn Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155", "reference_id": "CVE-2025-10155", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155" }, { "reference_url": "https://github.com/advisories/GHSA-j424-mc44-f4hj", "reference_id": "GHSA-j424-mc44-f4hj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j424-mc44-f4hj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46352?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "GHSA-j424-mc44-f4hj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rsm5-cnha-hbc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57986?format=api", "vulnerability_id": "VCID-rz3j-cnq5-6qbb", "summary": "Picklescan is missing detection when calling built-in python ensurepip._run_pip\nUsing ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-xp4f-hrf8-rxw7", "reference_id": "GHSA-xp4f-hrf8-rxw7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xp4f-hrf8-rxw7" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-xp4f-hrf8-rxw7", "reference_id": "GHSA-xp4f-hrf8-rxw7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-xp4f-hrf8-rxw7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-xp4f-hrf8-rxw7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rz3j-cnq5-6qbb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50546?format=api", "vulnerability_id": "VCID-sapx-fzv8-pbcw", "summary": "PickleScan's profile.run blocklist mismatch allows exec() bypass\npicklescan v1.0.3 blocks `profile.Profile.run` and `profile.Profile.runctx` but does NOT block the module-level `profile.run()` function. A malicious pickle calling `profile.run(statement)` achieves arbitrary code execution via `exec()` while picklescan reports 0 issues. This is because the blocklist entry `\"Profile.run\"` does not match the pickle global name `\"run\"`.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/advisories/GHSA-7wx9-6375-f5wh", "reference_id": "GHSA-7wx9-6375-f5wh", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7wx9-6375-f5wh" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh", "reference_id": "GHSA-7wx9-6375-f5wh", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74402?format=api", "purl": "pkg:pypi/picklescan@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4" } ], "aliases": [ "GHSA-7wx9-6375-f5wh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sapx-fzv8-pbcw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57939?format=api", "vulnerability_id": "VCID-sffp-afau-8qbw", "summary": "Picklescan missing detection when calling pytorch function torch._dynamo.guards.GuardBuilder.get\nUsing torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/advisories/GHSA-86cj-95qr-2p4f", "reference_id": "GHSA-86cj-95qr-2p4f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-86cj-95qr-2p4f" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f", "reference_id": "GHSA-86cj-95qr-2p4f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46349?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-86cj-95qr-2p4f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sffp-afau-8qbw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49534?format=api", "vulnerability_id": "VCID-sht8-2uh8-eydw", "summary": "Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller\nPicklescan uses _operator.methodcaller, which is a built-in python library function to execute remote pickle files.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34" }, { "reference_url": "https://github.com/advisories/GHSA-955r-x9j8-7rhh", "reference_id": "GHSA-955r-x9j8-7rhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-955r-x9j8-7rhh" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-955r-x9j8-7rhh", "reference_id": "GHSA-955r-x9j8-7rhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-955r-x9j8-7rhh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73134?format=api", "purl": "pkg:pypi/picklescan@0.0.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.34" } ], "aliases": [ "GHSA-955r-x9j8-7rhh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sht8-2uh8-eydw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58008?format=api", "vulnerability_id": "VCID-tfrn-vtbm-97dr", "summary": "Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode\nUsing idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-3gf5-cxq9-w223", "reference_id": "GHSA-3gf5-cxq9-w223", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3gf5-cxq9-w223" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3gf5-cxq9-w223", "reference_id": "GHSA-3gf5-cxq9-w223", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3gf5-cxq9-w223" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-3gf5-cxq9-w223" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tfrn-vtbm-97dr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57983?format=api", "vulnerability_id": "VCID-ucjy-namn-vqan", "summary": "Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip\nUsing idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-8r4j-24qv-fmq9", "reference_id": "GHSA-8r4j-24qv-fmq9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8r4j-24qv-fmq9" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-8r4j-24qv-fmq9", "reference_id": "GHSA-8r4j-24qv-fmq9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-8r4j-24qv-fmq9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-8r4j-24qv-fmq9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ucjy-namn-vqan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49520?format=api", "vulnerability_id": "VCID-uh9g-6nbj-8qcv", "summary": "Picklescan missing detection when calling pty.spawn\nUsing pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-vqmv-47xg-9wpr", "reference_id": "GHSA-vqmv-47xg-9wpr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqmv-47xg-9wpr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vqmv-47xg-9wpr", "reference_id": "GHSA-vqmv-47xg-9wpr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vqmv-47xg-9wpr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73107?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-vqmv-47xg-9wpr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uh9g-6nbj-8qcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57949?format=api", "vulnerability_id": "VCID-urbq-4gnz-a3b9", "summary": "Picklescan missing detection when calling pytorch function torch.utils._config_module.load_config\nUsing torch.utils._config_module.load_config function, which is a pytorch library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/advisories/GHSA-vv6j-3g6g-2pvj", "reference_id": "GHSA-vv6j-3g6g-2pvj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vv6j-3g6g-2pvj" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vv6j-3g6g-2pvj", "reference_id": "GHSA-vv6j-3g6g-2pvj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vv6j-3g6g-2pvj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46349?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-vv6j-3g6g-2pvj" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-urbq-4gnz-a3b9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57996?format=api", "vulnerability_id": "VCID-utgf-mfym-6ff8", "summary": "Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode\nUsing idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-m869-42cg-3xwr", "reference_id": "GHSA-m869-42cg-3xwr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m869-42cg-3xwr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m869-42cg-3xwr", "reference_id": "GHSA-m869-42cg-3xwr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m869-42cg-3xwr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-m869-42cg-3xwr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-utgf-mfym-6ff8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57089?format=api", "vulnerability_id": "VCID-uzp8-p94w-5fem", "summary": "Picklescan missing detection when calling built-in python library function timeit.timeit()\nUsing timeit.timeit() function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/40", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/40" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.25", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.25" }, { "reference_url": "https://github.com/advisories/GHSA-v7x6-rv5q-mhwc", "reference_id": "GHSA-v7x6-rv5q-mhwc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v7x6-rv5q-mhwc" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwc", "reference_id": "GHSA-v7x6-rv5q-mhwc", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45028?format=api", "purl": "pkg:pypi/picklescan@0.0.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.25" } ], "aliases": [ "GHSA-v7x6-rv5q-mhwc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uzp8-p94w-5fem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56775?format=api", "vulnerability_id": "VCID-v1nk-1s8p-kya1", "summary": "Duplicate Advisory: Zip Exploit Crashes Picklescan But Not PyTorch\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-7q5r-7gvp-wc82. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944", "reference_id": "CVE-2025-1944", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944" }, { "reference_url": "https://github.com/advisories/GHSA-w6mr-mj53-x258", "reference_id": "GHSA-w6mr-mj53-x258", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w6mr-mj53-x258" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44604?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cj8-mnbu-6qdy" }, { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-jfcq-vpg2-pkdn" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-uzp8-p94w-5fem" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "GHSA-w6mr-mj53-x258" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v1nk-1s8p-kya1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57980?format=api", "vulnerability_id": "VCID-v38f-mhcb-bucj", "summary": "Picklescan is missing detection when calling built-in python doctest.debug_script\nUsing doctest.debug_script function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-fqq6-7vqf-w3fg", "reference_id": "GHSA-fqq6-7vqf-w3fg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fqq6-7vqf-w3fg" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fqq6-7vqf-w3fg", "reference_id": "GHSA-fqq6-7vqf-w3fg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fqq6-7vqf-w3fg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-fqq6-7vqf-w3fg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v38f-mhcb-bucj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36985?format=api", "vulnerability_id": "VCID-w2h9-74te-tqhc", "summary": "picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.3453", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1944" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:08:11Z/" } ], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:08:11Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-20.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-20.yaml" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1944", "reference_id": "cve-2025-1944", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:08:11Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1944" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944", "reference_id": "CVE-2025-1944", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944" }, { "reference_url": "https://github.com/advisories/GHSA-7q5r-7gvp-wc82", "reference_id": "GHSA-7q5r-7gvp-wc82", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7q5r-7gvp-wc82" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44604?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cj8-mnbu-6qdy" }, { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-42d3-nspa-zqes" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-6ye8-sf3d-zfbg" }, { "vulnerability": "VCID-76yk-3zr4-87bh" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-9f46-wx2v-qfgv" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-b5vc-gbs8-euah" }, { "vulnerability": "VCID-b7jy-k4ur-bffk" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-c7w5-grfx-j7fr" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-dzje-5de9-bfb4" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-efmk-gy96-13bq" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-fdpc-mh9w-xqaz" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-g4fb-k4w9-tbd8" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-hj58-pnq5-xybx" }, { "vulnerability": "VCID-hukw-x64j-pkhw" }, { "vulnerability": "VCID-j1w8-qg73-1qc3" }, { "vulnerability": "VCID-jcan-amh5-mkcm" }, { "vulnerability": "VCID-jfcq-vpg2-pkdn" }, { "vulnerability": "VCID-m2a1-ptv8-yueh" }, { "vulnerability": "VCID-m2cs-gnrv-rqek" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mkc8-71mt-ybfs" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-n2pc-xd2g-zudu" }, { "vulnerability": "VCID-pg7f-wjk7-2qgm" }, { "vulnerability": "VCID-ph9u-h8dq-mfen" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-rz3j-cnq5-6qbb" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sffp-afau-8qbw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-tfrn-vtbm-97dr" }, { "vulnerability": "VCID-ucjy-namn-vqan" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" }, { "vulnerability": "VCID-urbq-4gnz-a3b9" }, { "vulnerability": "VCID-utgf-mfym-6ff8" }, { "vulnerability": "VCID-uzp8-p94w-5fem" }, { "vulnerability": "VCID-v38f-mhcb-bucj" }, { "vulnerability": "VCID-whea-3bmh-xya3" }, { "vulnerability": "VCID-ymbm-c1nv-muhm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "CVE-2025-1944", "GHSA-7q5r-7gvp-wc82", "PYSEC-2025-20" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w2h9-74te-tqhc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58002?format=api", "vulnerability_id": "VCID-whea-3bmh-xya3", "summary": "Picklescan is missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start\nUsing asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/advisories/GHSA-q77w-mwjj-7mqx", "reference_id": "GHSA-q77w-mwjj-7mqx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q77w-mwjj-7mqx" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-q77w-mwjj-7mqx", "reference_id": "GHSA-q77w-mwjj-7mqx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-q77w-mwjj-7mqx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46351?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-q77w-mwjj-7mqx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-whea-3bmh-xya3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57990?format=api", "vulnerability_id": "VCID-ymbm-c1nv-muhm", "summary": "Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions\nUsing idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/advisories/GHSA-7cq8-mj8x-j263", "reference_id": "GHSA-7cq8-mj8x-j263", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7cq8-mj8x-j263" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7cq8-mj8x-j263", "reference_id": "GHSA-7cq8-mj8x-j263", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7cq8-mj8x-j263" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/46350?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ypz-maze-zqhh" }, { "vulnerability": "VCID-2syv-syp1-6yhk" }, { "vulnerability": "VCID-2v14-5pc3-zuez" }, { "vulnerability": "VCID-5rme-ypaf-67cc" }, { "vulnerability": "VCID-8msh-r19k-juhx" }, { "vulnerability": "VCID-8vsp-nth6-cubp" }, { "vulnerability": "VCID-afab-1ggb-8faa" }, { "vulnerability": "VCID-auku-kbg2-2ybg" }, { "vulnerability": "VCID-avk4-jaz6-m3gw" }, { "vulnerability": "VCID-c27r-8kjg-tyeu" }, { "vulnerability": "VCID-dz86-5sqp-m3gj" }, { "vulnerability": "VCID-e8b8-zuq1-5fb5" }, { "vulnerability": "VCID-fa6r-jn3y-4yfb" }, { "vulnerability": "VCID-ffv8-d2fk-tubb" }, { "vulnerability": "VCID-gww1-x3je-q7a2" }, { "vulnerability": "VCID-h67b-5y6y-xffd" }, { "vulnerability": "VCID-h8bj-dvqr-kfet" }, { "vulnerability": "VCID-mhm6-27cp-1yhr" }, { "vulnerability": "VCID-mp69-7jdd-8yhe" }, { "vulnerability": "VCID-qy4e-nf4v-kfc2" }, { "vulnerability": "VCID-r3gk-x182-juf5" }, { "vulnerability": "VCID-ray2-m9fg-5kgz" }, { "vulnerability": "VCID-rsm5-cnha-hbc2" }, { "vulnerability": "VCID-sapx-fzv8-pbcw" }, { "vulnerability": "VCID-sht8-2uh8-eydw" }, { "vulnerability": "VCID-uh9g-6nbj-8qcv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-7cq8-mj8x-j263" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ymbm-c1nv-muhm" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.2" }