Search for packages
| purl | pkg:pypi/picklescan@0.0.26 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ypz-maze-zqhh
Aliases: GHSA-m273-6v24-x4m4 |
Picklescan vulnerable to Arbitrary File Writing Picklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files. |
Affected by 9 other vulnerabilities. |
|
VCID-2syv-syp1-6yhk
Aliases: CVE-2025-10155 GHSA-jgw4-cr84-mqxg PYSEC-2025-151 |
An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code. |
Affected by 20 other vulnerabilities. |
|
VCID-2v14-5pc3-zuez
Aliases: GHSA-r8g5-cgf2-4m4m |
Picklescan missing detection when calling numpy.f2py.crackfortran.getlincoef An unsafe deserialization vulnerability allows an attacker to execute arbitrary code on the host when loading a malicious pickle payload from an untrusted source. |
Affected by 9 other vulnerabilities. |
|
VCID-42d3-nspa-zqes
Aliases: GHSA-4r9r-ch6f-vxmx |
Picklescan missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_cprofile Using torch.utils.bottleneck.__main__.run_cprofile function, which is a pytorch library function to execute remote pickle file. |
Affected by 47 other vulnerabilities. |
|
VCID-5rme-ypaf-67cc
Aliases: GHSA-4vr7-g93g-cf6m |
Duplicate Advisory: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references. ### Original Description An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code. |
Affected by 20 other vulnerabilities. |
|
VCID-6ye8-sf3d-zfbg
Aliases: GHSA-5qwp-399c-mjwf |
Picklescan has a missing detection when calling built-in python trace.Trace.run Using trace.Trace.run, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-76yk-3zr4-87bh
Aliases: GHSA-x696-vm39-cp64 |
Picklescan has a missing detection when calling built-in python profile.Profile.run Using profile.Profile.run, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-8msh-r19k-juhx
Aliases: GHSA-4675-36f9-wf6r |
Picklescan does not block ctypes Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to * Load DLLs * Call C functions directly * Manipulate memory raw pointers. This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory. This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected |
Affected by 9 other vulnerabilities. |
|
VCID-8vsp-nth6-cubp
Aliases: GHSA-3329-ghmp-jmv5 |
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval Picklescan uses numpy.f2py.crackfortran.myeval, which is a function in numpy to execute remote pickle files. |
Affected by 9 other vulnerabilities. |
|
VCID-9f46-wx2v-qfgv
Aliases: GHSA-g344-hcph-8vgg |
Picklescan has a missing detection when calling built-in python trace.Trace.runctx Using trace.Trace.runctx, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-afab-1ggb-8faa
Aliases: GHSA-9726-w42j-3qjr |
picklescan has Arbitrary file read using `io.FileIO` Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server. |
Affected by 6 other vulnerabilities. |
|
VCID-auku-kbg2-2ybg
Aliases: CVE-2025-10156 GHSA-mjqp-26hc-grxg PYSEC-2025-152 |
An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code. |
Affected by 20 other vulnerabilities. |
|
VCID-avk4-jaz6-m3gw
Aliases: CVE-2025-10157 GHSA-f7qq-56ww-84cr PYSEC-2025-153 |
A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code. |
Affected by 20 other vulnerabilities. |
|
VCID-b5vc-gbs8-euah
Aliases: GHSA-f745-w6jp-hpxx |
Picklescan missing detection when calling pytorch function torch.utils.collect_env.run Using torch.utils.collect_env.run function, which is a pytorch library function to execute remote pickle file. |
Affected by 47 other vulnerabilities. |
|
VCID-b7jy-k4ur-bffk
Aliases: GHSA-4whj-rm5r-c2v8 |
Picklescan is missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_autograd_prof Using torch.utils.bottleneck.\_\_main\_\_.run_autograd_prof function, which is a pytorch library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-c27r-8kjg-tyeu
Aliases: GHSA-hf6h-9wq7-hmjg |
Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references. ### Original Description A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code. |
Affected by 20 other vulnerabilities. |
|
VCID-c7w5-grfx-j7fr
Aliases: GHSA-j343-8v2j-ff7w |
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-dz86-5sqp-m3gj
Aliases: GHSA-g38g-8gr9-h9xp |
PickleScan has multiple stdlib modules with direct RCE not in blocklist picklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely. |
Affected by 0 other vulnerabilities. |
|
VCID-dzje-5de9-bfb4
Aliases: GHSA-h3qp-7fh3-f8h4 |
Picklescan missing detection when calling pytorch function torch.utils.data.datapipes.utils.decoder.basichandlers Using torch.utils.data.datapipes.utils.decoder.basichandlers function, which is a pytorch library function to execute remote pickle file. |
Affected by 47 other vulnerabilities. |
|
VCID-e8b8-zuq1-5fb5
Aliases: GHSA-hgrh-qx5j-jfwx |
Picklescan Bypasses Unsafe Globals Check using pty.spawn The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the `pty` library (more specifically, of the `pty.spawn` function) from PickleScan's list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats. |
Affected by 9 other vulnerabilities. |
|
VCID-efmk-gy96-13bq
Aliases: GHSA-p9w7-82w4-7q8m |
Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label Using lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-fa6r-jn3y-4yfb
Aliases: GHSA-84r2-jw7c-4r5q |
Picklescan has Incomplete List of Disallowed Inputs Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly * pydoc.locate: Can dynamically resolve and import arbitrary modules (e.g., resolving the string "os" to the actual os module). * operator.methodcaller: Allows executing a method on an object. When combined with a resolved module object, it can execute functions like system. Since locate and methodcaller are not explicitly listed in the deny-list, picklescan treats them as "Safe" or "Suspicious" (depending on configuration) but does not flag them as "Dangerous", allowing the malicious file to bypass the security check. |
Affected by 9 other vulnerabilities. |
|
VCID-fdpc-mh9w-xqaz
Aliases: GHSA-vr7h-p6mm-wpmh |
Picklescan missing detection when calling pytorch function torch.jit.unsupported_tensor_ops.execWrapper Using torch.jit.unsupported_tensor_ops.execWrapper function, which is a pytorch library function to execute remote pickle file. |
Affected by 47 other vulnerabilities. |
|
VCID-ffv8-d2fk-tubb
Aliases: GHSA-vvpj-8cmc-gx39 |
PickleScan's pkgutil.resolve_name has a universal blocklist bypass `pkgutil.resolve_name()` is a Python stdlib function that resolves any `"module:attribute"` string to the corresponding Python object at runtime. By using `pkgutil.resolve_name` as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function (e.g., `os.system`, `builtins.exec`, `subprocess.call`) without that function appearing in the pickle's opcodes. picklescan only sees `pkgutil.resolve_name` (which is not blocked) and misses the actual dangerous function entirely. This defeats picklescan's **entire blocklist concept** — every single entry in `_unsafe_globals` can be bypassed. |
Affected by 0 other vulnerabilities. |
|
VCID-g4fb-k4w9-tbd8
Aliases: GHSA-49gj-c84q-6qm9 |
Picklescan is missing detection when calling built-in python cProfile.run Using cProfile.run function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-gww1-x3je-q7a2
Aliases: GHSA-cffc-mxrf-mhh4 |
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files. |
Affected by 9 other vulnerabilities. |
|
VCID-h67b-5y6y-xffd
Aliases: GHSA-m7j5-r2p5-c39r |
picklescan vulnerable to arbitrary file create using logging.FileHandler Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files. |
Affected by 4 other vulnerabilities. |
|
VCID-h8bj-dvqr-kfet
Aliases: GHSA-6556-fwc2-fg2p |
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length Picklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. |
Affected by 9 other vulnerabilities. |
|
VCID-hj58-pnq5-xybx
Aliases: GHSA-f4x7-rfwp-v3xw |
Picklescan missing detection when calling pytorch function torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression Using torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function, which is a pytorch library function to execute remote pickle file. |
Affected by 47 other vulnerabilities. |
|
VCID-hukw-x64j-pkhw
Aliases: GHSA-6vqj-c2q5-j97w |
Picklescan has a missing detection when calling built-in python profile.Profile.runctx Using profile.Profile.runctx, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-j1w8-qg73-1qc3
Aliases: GHSA-3vg9-h568-4w9m |
Picklescan has a missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-jcan-amh5-mkcm
Aliases: GHSA-9xph-j2h6-g47v |
Picklescan has a missing detection when calling built-in python library idlelib.calltip.get_entity Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-m2a1-ptv8-yueh
Aliases: GHSA-4p4h-9gvq-7xfg |
Duplicate Advisory: Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-93mv-x874-956g. This link is maintained to preserve external references. # Original Description The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization. | There are no reported fixed by versions. |
|
VCID-m2cs-gnrv-rqek
Aliases: GHSA-6w4w-5w54-rjvr |
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.get_entity Using idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-mhm6-27cp-1yhr
Aliases: GHSA-97f8-7cmv-76j2 |
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER This is a scanning bypass to `scan_pytorch` function in `picklescan`. As we can see in the implementation of [get_magic_number()](https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/torch.py#L76C5-L84) that uses `pickletools.genops(data)` to get the `magic_number` with the condition `opcode.name` includes `INT` or `LONG`, but the PyTorch's implemtation simply uses [pickle_module.load()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1797) to get this `magic_number`. For this implementation difference, we then can embed the `magic_code` into the `PyTorch` file via dynamic `eval` on the `\_\_reduce\_\_` trick, which can make the `pickletools.genops(data)` cannot get the `magic_code` in `INT` or `LONG` type, but the `pickle_module.load()` can still return the same `magic_code`, eading to a bypass. |
Affected by 3 other vulnerabilities. |
|
VCID-mkc8-71mt-ybfs
Aliases: GHSA-9w88-8rmg-7g2p |
Picklescan is missing detection when calling built-in python cProfile.runctx Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-mp69-7jdd-8yhe
Aliases: GHSA-46h3-79wf-xr6c |
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter Picklescan uses _operator.attrgetter, which is a built-in python library function to execute remote pickle files. |
Affected by 7 other vulnerabilities. |
|
VCID-n2pc-xd2g-zudu
Aliases: GHSA-cj3c-v495-4xqh |
Picklescan has a missing detection when calling built-in python code.InteractiveInterpreter Using code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-pg7f-wjk7-2qgm
Aliases: GHSA-9gvj-pp9x-gcfr |
Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass Detection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection. |
Affected by 54 other vulnerabilities. |
|
VCID-ph9u-h8dq-mfen
Aliases: GHSA-f54q-57x4-jg88 |
Picklescan has a missing detection when calling built-in python lib2to3.pgen2.grammar.Grammar.loads Using lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-qy4e-nf4v-kfc2
Aliases: GHSA-x843-g5mx-g377 |
Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller Picklescan uses `operator.methodcaller`, which is a built-in python library function to execute remote pickle files. |
Affected by 9 other vulnerabilities. |
|
VCID-r3gk-x182-juf5
Aliases: GHSA-9m3x-qqw2-h32h |
picklescan missing detection by simple obfuscation of a `builtins.eval` call An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source. |
Affected by 4 other vulnerabilities. |
|
VCID-ray2-m9fg-5kgz
Aliases: GHSA-rrxm-2pvv-m66x |
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef Picklescan uses the `numpy.f2py.crackfortran.getlincoef` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. |
Affected by 9 other vulnerabilities. |
|
VCID-rsm5-cnha-hbc2
Aliases: GHSA-j424-mc44-f4hj |
Duplicate Advisory: Picklescan Bypass is Possible via File Extension Mismatch ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgw4-cr84-mqxg. This link is maintained to preserve external references. ### Original Description An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code. |
Affected by 20 other vulnerabilities. |
|
VCID-rz3j-cnq5-6qbb
Aliases: GHSA-xp4f-hrf8-rxw7 |
Picklescan is missing detection when calling built-in python ensurepip._run_pip Using ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-sapx-fzv8-pbcw
Aliases: GHSA-7wx9-6375-f5wh |
PickleScan's profile.run blocklist mismatch allows exec() bypass picklescan v1.0.3 blocks `profile.Profile.run` and `profile.Profile.runctx` but does NOT block the module-level `profile.run()` function. A malicious pickle calling `profile.run(statement)` achieves arbitrary code execution via `exec()` while picklescan reports 0 issues. This is because the blocklist entry `"Profile.run"` does not match the pickle global name `"run"`. |
Affected by 0 other vulnerabilities. |
|
VCID-sffp-afau-8qbw
Aliases: GHSA-86cj-95qr-2p4f |
Picklescan missing detection when calling pytorch function torch._dynamo.guards.GuardBuilder.get Using torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file. |
Affected by 47 other vulnerabilities. |
|
VCID-sht8-2uh8-eydw
Aliases: GHSA-955r-x9j8-7rhh |
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller Picklescan uses _operator.methodcaller, which is a built-in python library function to execute remote pickle files. |
Affected by 7 other vulnerabilities. |
|
VCID-tfrn-vtbm-97dr
Aliases: GHSA-3gf5-cxq9-w223 |
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode Using idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-ucjy-namn-vqan
Aliases: GHSA-8r4j-24qv-fmq9 |
Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip Using idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-uh9g-6nbj-8qcv
Aliases: GHSA-vqmv-47xg-9wpr |
Picklescan missing detection when calling pty.spawn Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system. |
Affected by 9 other vulnerabilities. |
|
VCID-urbq-4gnz-a3b9
Aliases: GHSA-vv6j-3g6g-2pvj |
Picklescan missing detection when calling pytorch function torch.utils._config_module.load_config Using torch.utils._config_module.load_config function, which is a pytorch library function to execute remote pickle file. |
Affected by 47 other vulnerabilities. |
|
VCID-utgf-mfym-6ff8
Aliases: GHSA-m869-42cg-3xwr |
Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-v38f-mhcb-bucj
Aliases: GHSA-fqq6-7vqf-w3fg |
Picklescan is missing detection when calling built-in python doctest.debug_script Using doctest.debug_script function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-whea-3bmh-xya3
Aliases: GHSA-q77w-mwjj-7mqx |
Picklescan is missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
|
VCID-ymbm-c1nv-muhm
Aliases: GHSA-7cq8-mj8x-j263 |
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions Using idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file. |
Affected by 26 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||