GHSA-6556-fwc2-fg2p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6556-fwc2-fg2p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-6556-fwc2-fg2p/GHSA-6556-fwc2-fg2p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6556-fwc2-fg2p
- Published
- 2025-12-30T15:20:14Z
- Modified
- 2025-12-30T15:37:26.366809Z
- Severity
-
- 6.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length
- Details
-
Summary
Picklescan uses the
numpy.f2py.crackfortran._eval_lengthfunction (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.Details
Picklescan fails to detect a malicious pickle that uses the gadget
numpy.f2py.crackfortran._eval_lengthin__reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.PoC
class PoC: def __reduce__(self): from numpy.f2py.crackfortran import _eval_length return _eval_length, ("__import__('os').system('whoami')", None)Impact
- Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
- Enables supply‑chain poisoning of shared model files.
Credits
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-502", "CWE-94" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-12-30T15:20:14Z" }- References
-
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p
- https://github.com/mmaitre314/picklescan/pull/53
- https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab
- https://github.com/mmaitre314/picklescan
- https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33
Affected packages
PyPI / picklescan
Package
- Name
- picklescan
- View open source insights on deps.dev
- Purl
- pkg:pypi/picklescan