GHSA-M7J5-R2P5-C39R

Vulnerability from github – Published: 2026-02-02 20:50 – Updated: 2026-02-02 20:50
VLAI?
Summary
picklescan vulnerable to arbitrary file create using logging.FileHandler
Details

Summary

Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.

Details

The application deserializes untrusted pickle data. While RCE keywords may be blocked, the exploit abuses standard library features:

logging.FileHandler: The exploit instantiates this class using its default behavior (append mode).

Behavior on Existing Files: If the target file already exists, the handler opens it without modifying its content, resulting in no impact to existing data.

Behavior on Non-Existent Files: If the target file does not exist, the handler creates a new zero-byte file with the specified name.

PoC

import pickle

class WriteFile:
    def __reduce__(self):
        from logging import FileHandler
        return (FileHandler, ('evil.log',))

with open("bypass_write.pkl", "wb") as f:
    pickle.dump(WriteFile(), f)

handler = pickle.loads(pickle.dumps(WriteFile()))

313e1cfacbe700e27b6875e49808c52a

Impact

This primitive can be used for Filesystem Pollution or Logic Disruption. For example, an attacker could create specific "lock files" (e.g., maintenance.lock, .lock) that the application checks for, potentially triggering a Denial of Service (DoS) or preventing the application from starting.

Severity ?
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T20:50:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nUnsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.\n\n### Details\nThe application deserializes untrusted pickle data. While RCE keywords may be blocked, the exploit abuses standard library features:\n\nlogging.FileHandler: The exploit instantiates this class using its default behavior (append mode).\n\nBehavior on Existing Files: If the target file already exists, the handler opens it without modifying its content, resulting in no impact to existing data.\n\nBehavior on Non-Existent Files: If the target file does not exist, the handler creates a new zero-byte file with the specified name.\n\n### PoC\n```python\nimport pickle\n\nclass WriteFile:\n    def __reduce__(self):\n        from logging import FileHandler\n        return (FileHandler, (\u0027evil.log\u0027,))\n    \nwith open(\"bypass_write.pkl\", \"wb\") as f:\n    pickle.dump(WriteFile(), f)\n\nhandler = pickle.loads(pickle.dumps(WriteFile()))\n```\n\u003cimg width=\"1201\" height=\"140\" alt=\"313e1cfacbe700e27b6875e49808c52a\" src=\"https://github.com/user-attachments/assets/8873bb54-0f98-41aa-8e7c-a38a245ca428\" /\u003e\n\n\n### Impact\nThis primitive can be used for Filesystem Pollution or Logic Disruption. For example, an attacker could create specific \"lock files\" (e.g., maintenance.lock, .lock) that the application checks for, potentially triggering a Denial of Service (DoS) or preventing the application from starting.",
  "id": "GHSA-m7j5-r2p5-c39r",
  "modified": "2026-02-02T20:50:30Z",
  "published": "2026-02-02T20:50:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m7j5-r2p5-c39r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/60"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/4d9bc9cd34bca8672dad3481cd4556d5ba747156"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "picklescan vulnerable to arbitrary file create using logging.FileHandler"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.