PYSEC-2025-153
Vulnerability from pysec - Published: 2025-09-17 12:15 - Updated: 2026-05-20 09:19
VLAI
Details
A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio').
When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.
Severity
7.8 (High)
Impacted products
| Name | purl | picklescan | pkg:pypi/picklescan |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan",
"purl": "pkg:pypi/picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.31"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.1",
"0.0.10",
"0.0.11",
"0.0.12",
"0.0.13",
"0.0.14",
"0.0.15",
"0.0.16",
"0.0.17",
"0.0.18",
"0.0.19",
"0.0.2",
"0.0.20",
"0.0.21",
"0.0.22",
"0.0.23",
"0.0.24",
"0.0.25",
"0.0.26",
"0.0.27",
"0.0.28",
"0.0.29",
"0.0.3",
"0.0.30",
"0.0.4",
"0.0.5",
"0.0.6",
"0.0.7",
"0.0.8",
"0.0.9"
]
}
],
"aliases": [
"CVE-2025-10157",
"GHSA-f7qq-56ww-84cr"
],
"details": "A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., \u0027asyncio.unix_events\u0027 instead of \u0027asyncio\u0027). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.",
"id": "PYSEC-2025-153",
"modified": "2026-05-20T09:19:10.890089Z",
"published": "2025-09-17T12:15:38.097Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309"
},
{
"type": "WEB",
"url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl"
},
{
"type": "EVIDENCE",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
CVE-2025-10157 (GCVE-0-2025-10157)
Vulnerability from cvelistv5 – Published: 2025-09-17 11:33 – Updated: 2025-09-17 13:07
VLAI
Title
PickleScan Bypasses Unsafe Globals Check Using Submodule Imports
Summary
A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio').
When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.
Severity
CWE
- CWE-693 - - Protection Mechanism Failure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mmaitre314/picklescan/security… | vendor-advisoryexploit |
| https://huggingface.co/iluem/linux_pkl/resolve/ma… | exploit |
| https://github.com/mmaitre314/picklescan/blob/2a8… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mmaitre314 | picklescan |
Affected:
0 , ≤ 0.0.30
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10157",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:07:29.343961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:07:38.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "picklescan",
"vendor": "mmaitre314",
"versions": [
{
"changes": [
{
"at": "0.0.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.0.30",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JFrog"
},
{
"lang": "en",
"type": "finder",
"value": "@xdcrev"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., \u0027asyncio.unix_events\u0027 instead of \u0027asyncio\u0027). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.\n\n\u003c/p\u003e"
}
],
"value": "A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., \u0027asyncio.unix_events\u0027 instead of \u0027asyncio\u0027). \n\nWhen the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Attackers can craft malicious pickle files that import submodules of known dangerous packages. PickleScan fails to flag these files as malicious, marking them only as \u0027Suspicious\u0027. If an automated system or user loads such a file, it could result in arbitrary code execution."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 - Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T11:33:03.680Z",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory",
"exploit"
],
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr"
},
{
"name": "Proof of Concept (Malicious Pickle)",
"tags": [
"exploit"
],
"url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl"
},
{
"name": "Vulnerable Code",
"url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309"
}
],
"source": {
"advisory": "GHSA-f7qq-56ww-84cr",
"discovery": "EXTERNAL"
},
"title": "PickleScan Bypasses Unsafe Globals Check Using Submodule Imports",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2025-10157",
"datePublished": "2025-09-17T11:33:03.680Z",
"dateReserved": "2025-09-09T11:07:37.837Z",
"dateUpdated": "2025-09-17T13:07:38.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-F7QQ-56WW-84CR
Vulnerability from github – Published: 2025-09-10 17:15 – Updated: 2025-09-18 12:51
VLAI
Summary
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
Details
Summary
The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.
PoC
- Download a model that uses the
asynciopackage:
wget https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl
- Check with PickleScan:
picklescan -p asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl -g
Expected Result:
PickleScan should identify all asyncio import as dangerous and flag the pickle file as malicious as asyncio is in _unsafe_globals dictionary.
Actual Result:
PickleScan marked the import as Suspicious, failing to identify it as a dangerous import.
Impact
Severity: High Affected Users: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content. Impact Details: Attackers can craft malicious PyTorch models containing embedded pickle payloads, package them into ZIP archives, and bypass the PickleScan check by using subclasses of dangerous imports. This could lead to arbitrary code execution on the user's system when these malicious files are processed or loaded.
Recommendations:
Replace: https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309C9-L309C54
unsafe_filter = _unsafe_globals.get(g.module)
by:
matched_key = None
if imported_global.module:
for key_in_globals in unsafe_globals.keys():
# Check if imported_global.module starts with the key_in_globals AND
# (it's the first match OR this key is more specific than the previous match)
# AND imported_global.module is exactly the key or imported_global.module is key + '.' + something
if imported_global.module.startswith(key_in_globals):
if (imported_global.module == key_in_globals or # Exact match
(len(imported_global.module) > len(key_in_globals) and imported_global.module[len(key_in_globals)] == '.')): # Submodule match
if matched_key is None or len(key_in_globals) > len(matched_key):
matched_key = key_in_globals
if matched_key:
unsafe_filter = unsafe_globals[matched_key]
Severity
8.3 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.30"
},
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-10157"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-10T17:15:33Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nThe vulnerability allows malicious actors to bypass PickleScan\u0027s unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan\u0027s strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.\n\n### PoC\n1. Download a model that uses the `asyncio` package: \n\n```wget https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl```\n\n2. Check with PickleScan: `picklescan -p asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl -g`\n\n**Expected Result:**\n\nPickleScan should identify all `asyncio` import as dangerous and flag the pickle file as malicious as `asyncio` is in `_unsafe_globals` dictionary.\n\n**Actual Result:**\n\n\nPickleScan marked the import as Suspicious, failing to identify it as a dangerous import.\n\n### Impact\n**Severity**: High\n**Affected Users**: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.\n**Impact Details**: Attackers can craft malicious PyTorch models containing embedded pickle payloads, package them into ZIP archives, and bypass the PickleScan check by using subclasses of dangerous imports. This could lead to arbitrary code execution on the user\u0027s system when these malicious files are processed or loaded.\n\n**Recommendations:**\n\n**Replace:**\nhttps://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309C9-L309C54\n\n\n ` unsafe_filter = _unsafe_globals.get(g.module)`\n\nby:\n```\n matched_key = None\n if imported_global.module:\n for key_in_globals in unsafe_globals.keys():\n # Check if imported_global.module starts with the key_in_globals AND\n # (it\u0027s the first match OR this key is more specific than the previous match)\n # AND imported_global.module is exactly the key or imported_global.module is key + \u0027.\u0027 + something\n if imported_global.module.startswith(key_in_globals):\n if (imported_global.module == key_in_globals or # Exact match\n (len(imported_global.module) \u003e len(key_in_globals) and imported_global.module[len(key_in_globals)] == \u0027.\u0027)): # Submodule match\n if matched_key is None or len(key_in_globals) \u003e len(matched_key):\n matched_key = key_in_globals\n\n if matched_key:\n unsafe_filter = unsafe_globals[matched_key]\n```",
"id": "GHSA-f7qq-56ww-84cr",
"modified": "2025-09-18T12:51:26Z",
"published": "2025-09-10T17:15:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10157"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/pull/50"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309"
},
{
"type": "WEB",
"url": "https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…