CVE-2025-10157

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-10157
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10157.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-10157
Aliases
Published
2025-09-17T12:15:38.097Z
Modified
2026-05-20T08:11:22.699299377Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio').

When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.

References

Affected packages

Git / github.com/mmaitre314/picklescan

Affected ranges

Type
GIT
Repo
https://github.com/mmaitre314/picklescan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
28a7b4ef753466572bda3313737116eeb9b4e5c5
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.31"
        }
    ]
}

Affected versions

v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.3
v0.0.30
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10157.json"