PYSEC-2025-18

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-18.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-18

Aliases

Published

2025-02-26T15:15:24Z

Modified

2025-04-09T17:59:23.478228Z

Summary

[none]

Details

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via pip.main(). Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.

References

Affected packages

PyPI / picklescan

Package

Name: picklescan; View open source insights on deps.dev
Purl: pkg:pypi/picklescan

Affected ranges

Type: GIT
Repo: https://github.com/mmaitre314/picklescan
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

78ce704227c51f070c0c5fb4b466d92c62a7aa3d

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.21

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.19

0.0.20