VulnerableCode Package Details - pkg:pypi/picklescan@0.0.35

Search for packages

Vulnerability	Summary	Fixed by
VCID-dz86-5sqp-m3gj Aliases: GHSA-g38g-8gr9-h9xp	PickleScan has multiple stdlib modules with direct RCE not in blocklist picklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.	1.0.4 Affected by 0 other vulnerabilities.
VCID-ffv8-d2fk-tubb Aliases: GHSA-vvpj-8cmc-gx39	PickleScan's pkgutil.resolve_name has a universal blocklist bypass `pkgutil.resolve_name()` is a Python stdlib function that resolves any `"module:attribute"` string to the corresponding Python object at runtime. By using `pkgutil.resolve_name` as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function (e.g., `os.system`, `builtins.exec`, `subprocess.call`) without that function appearing in the pickle's opcodes. picklescan only sees `pkgutil.resolve_name` (which is not blocked) and misses the actual dangerous function entirely. This defeats picklescan's entire blocklist concept — every single entry in `_unsafe_globals` can be bypassed.	1.0.4 Affected by 0 other vulnerabilities.
VCID-h67b-5y6y-xffd Aliases: GHSA-m7j5-r2p5-c39r	picklescan vulnerable to arbitrary file create using logging.FileHandler Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.	1.0.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mhm6-27cp-1yhr Aliases: GHSA-97f8-7cmv-76j2	Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER This is a scanning bypass to `scan_pytorch` function in `picklescan`. As we can see in the implementation of [get_magic_number()](https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/torch.py#L76C5-L84) that uses `pickletools.genops(data)` to get the `magic_number` with the condition `opcode.name` includes `INT` or `LONG`, but the PyTorch's implemtation simply uses [pickle_module.load()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1797) to get this `magic_number`. For this implementation difference, we then can embed the `magic_code` into the `PyTorch` file via dynamic `eval` on the `\_\_reduce\_\_` trick, which can make the `pickletools.genops(data)` cannot get the `magic_code` in `INT` or `LONG` type, but the `pickle_module.load()` can still return the same `magic_code`, eading to a bypass.	1.0.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-r3gk-x182-juf5 Aliases: GHSA-9m3x-qqw2-h32h	picklescan missing detection by simple obfuscation of a `builtins.eval` call An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source.	1.0.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-sapx-fzv8-pbcw Aliases: GHSA-7wx9-6375-f5wh	PickleScan's profile.run blocklist mismatch allows exec() bypass picklescan v1.0.3 blocks `profile.Profile.run` and `profile.Profile.runctx` but does NOT block the module-level `profile.run()` function. A malicious pickle calling `profile.run(statement)` achieves arbitrary code execution via `exec()` while picklescan reports 0 issues. This is because the blocklist entry `"Profile.run"` does not match the pickle global name `"run"`.	1.0.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-dz86-5sqp-m3gj
Aliases:
GHSA-g38g-8gr9-h9xp

PickleScan has multiple stdlib modules with direct RCE not in blocklist picklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.

1.0.4
Affected by 0 other vulnerabilities.

VCID-ffv8-d2fk-tubb
Aliases:
GHSA-vvpj-8cmc-gx39

PickleScan's pkgutil.resolve_name has a universal blocklist bypass `pkgutil.resolve_name()` is a Python stdlib function that resolves any `"module:attribute"` string to the corresponding Python object at runtime. By using `pkgutil.resolve_name` as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function (e.g., `os.system`, `builtins.exec`, `subprocess.call`) without that function appearing in the pickle's opcodes. picklescan only sees `pkgutil.resolve_name` (which is not blocked) and misses the actual dangerous function entirely. This defeats picklescan's **entire blocklist concept** — every single entry in `_unsafe_globals` can be bypassed.

1.0.4
Affected by 0 other vulnerabilities.

VCID-h67b-5y6y-xffd
Aliases:
GHSA-m7j5-r2p5-c39r

picklescan vulnerable to arbitrary file create using logging.FileHandler Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.

1.0.1
Affected by 4 other vulnerabilities.

VCID-mhm6-27cp-1yhr
Aliases:
GHSA-97f8-7cmv-76j2

Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER This is a scanning bypass to `scan_pytorch` function in `picklescan`. As we can see in the implementation of [get_magic_number()](https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/torch.py#L76C5-L84) that uses `pickletools.genops(data)` to get the `magic_number` with the condition `opcode.name` includes `INT` or `LONG`, but the PyTorch's implemtation simply uses [pickle_module.load()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1797) to get this `magic_number`. For this implementation difference, we then can embed the `magic_code` into the `PyTorch` file via dynamic `eval` on the `\_\_reduce\_\_` trick, which can make the `pickletools.genops(data)` cannot get the `magic_code` in `INT` or `LONG` type, but the `pickle_module.load()` can still return the same `magic_code`, eading to a bypass.

1.0.3
Affected by 3 other vulnerabilities.

VCID-r3gk-x182-juf5
Aliases:
GHSA-9m3x-qqw2-h32h

picklescan missing detection by simple obfuscation of a `builtins.eval` call An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source.

1.0.1
Affected by 4 other vulnerabilities.

VCID-sapx-fzv8-pbcw
Aliases:
GHSA-7wx9-6375-f5wh

PickleScan's profile.run blocklist mismatch allows exec() bypass picklescan v1.0.3 blocks `profile.Profile.run` and `profile.Profile.runctx` but does NOT block the module-level `profile.run()` function. A malicious pickle calling `profile.run(statement)` achieves arbitrary code execution via `exec()` while picklescan reports 0 issues. This is because the blocklist entry `"Profile.run"` does not match the pickle global name `"run"`.

1.0.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-afab-1ggb-8faa	picklescan has Arbitrary file read using `io.FileIO` Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.	GHSA-9726-w42j-3qjr

Vulnerability

Summary

Aliases

VCID-afab-1ggb-8faa

picklescan has Arbitrary file read using `io.FileIO` Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.

GHSA-9726-w42j-3qjr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:11:33.084291+00:00	GitLab Importer	Affected by	VCID-ffv8-d2fk-tubb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/picklescan/GHSA-vvpj-8cmc-gx39.yml	38.6.0
2026-06-06T07:10:07.112545+00:00	GitLab Importer	Affected by	VCID-dz86-5sqp-m3gj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/picklescan/GHSA-g38g-8gr9-h9xp.yml	38.6.0
2026-06-06T07:09:10.324512+00:00	GitLab Importer	Affected by	VCID-sapx-fzv8-pbcw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/picklescan/GHSA-7wx9-6375-f5wh.yml	38.6.0
2026-06-06T06:53:45.227351+00:00	GitLab Importer	Affected by	VCID-mhm6-27cp-1yhr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/picklescan/GHSA-97f8-7cmv-76j2.yml	38.6.0
2026-06-06T06:47:59.289155+00:00	GitLab Importer	Affected by	VCID-r3gk-x182-juf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/picklescan/GHSA-9m3x-qqw2-h32h.yml	38.6.0
2026-06-06T06:47:40.825644+00:00	GitLab Importer	Affected by	VCID-h67b-5y6y-xffd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/picklescan/GHSA-m7j5-r2p5-c39r.yml	38.6.0
2026-06-05T21:54:57.404484+00:00	GHSA Importer	Fixing	VCID-afab-1ggb-8faa	https://github.com/advisories/GHSA-9726-w42j-3qjr	38.6.0
2026-06-04T16:54:13.003727+00:00	GithubOSV Importer	Fixing	VCID-afab-1ggb-8faa	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-9726-w42j-3qjr/GHSA-9726-w42j-3qjr.json	38.6.0
2026-06-02T04:49:26.736045+00:00	GitLab Importer	Fixing	VCID-afab-1ggb-8faa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/picklescan/GHSA-9726-w42j-3qjr.yml	38.6.0