PYSEC-2025-34

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-34.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-34

Aliases

CVE-2025-46417
GHSA-93mv-x874-956g

Published

2025-04-24T01:15:49Z

Modified

2025-04-24T03:42:20.380984Z

Summary

[none]

Details

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.getservercertificate can exfiltrate data via DNS after deserialization.

References

https://github.com/advisories/GHSA-93mv-x874-956g
https://github.com/mmaitre314/picklescan/pull/40

Affected packages

PyPI / picklescan

Package

Name: picklescan; View open source insights on deps.dev
Purl: pkg:pypi/picklescan

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.25

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.17

0.0.18

0.0.19

0.0.20

0.0.21

0.0.22

0.0.23

0.0.24