Описание
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length
Summary
Picklescan uses the numpy.f2py.crackfortran._eval_length function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.
Details
Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran._eval_length in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.
PoC
class PoC:
def __reduce__(self):
from numpy.f2py.crackfortran import _eval_length
return _eval_length, ("__import__('os').system('whoami')", None)
Impact
- Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
- Enables supply‑chain poisoning of shared model files.
Credits
Пакеты
Наименование
picklescan
pip
Затронутые версииВерсия исправления
< 0.0.33
0.0.33
6.7 Medium
CVSS4
Дефекты
CWE-502
CWE-94
6.7 Medium
CVSS4
Дефекты
CWE-502
CWE-94