GHSA-rrxm-2pvv-m66x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rrxm-2pvv-m66x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-rrxm-2pvv-m66x/GHSA-rrxm-2pvv-m66x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rrxm-2pvv-m66x
- Published
- 2025-12-30T15:18:16Z
- Modified
- 2025-12-30T15:38:05.334043Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef
- Details
-
Summary
Picklescan uses the
numpy.f2py.crackfortran.getlincoeffunction (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.Details
Picklescan fails to detect a malicious pickle that uses the gadget
numpy.f2py.crackfortran.getlincoefin__reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.PoC
class PoC: def __reduce__(self): from numpy.f2py.crackfortran import getlincoef return getlincoef, ("__import__('os').system('whoami')", None)Impact
- Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
- Enables supply‑chain poisoning of shared model files.
Credits
- Database specific
{ "severity": "HIGH", "github_reviewed_at": "2025-12-30T15:18:16Z", "cwe_ids": [ "CWE-502", "CWE-94" ], "nvd_published_at": null, "github_reviewed": true }- References
-
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x
- https://github.com/mmaitre314/picklescan/pull/53
- https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab
- https://github.com/mmaitre314/picklescan
- https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33
Affected packages
PyPI / picklescan
Package
- Name
- picklescan
- View open source insights on deps.dev
- Purl
- pkg:pypi/picklescan
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.0.33