GHSA-9gvj-pp9x-gcfr

Опубликовано: 12 авг. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.9

Описание

Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass

Details

There's a parsing logic error in picklescan and modelscan while trying to deal with opcode STACK_GLOBAL. Function _list_globals when handling STACK_GLOBAL at position n, it is expected to track two arguments but in wrong range. The loop only consider the range from 1 to n-1 but forgets to consider the opcode at position 0. The correct range should be 0 to n-1. Attacker can put arg in position 0, thus the parser can only tract one argument. Then, the exception https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281 will be triggered. Thus it can cause detection bypass since the malicious pickle file will trigger unexpected exceptions.

Example:

0: S STRING 'os' --> arg 0: STRING (untracked argument due to wrong scanning range) 6: S STRING 'system' --> arg 1: STRING (tracked argument) 16: \x93 STACK_GLOBAL 17: S STRING 'ls' 23: \x85 TUPLE1 24: R REDUCE 25: . STOP

PoC

import pickle payload = b"S'os'\nS'system'\n\x93S'ls'\n\x85R." with open('bad_pickle.pkl', 'wb') as f: f.write(payload) pickle.load(open('bad_pickle.pkl', 'rb'))

Impact

Detection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection.

Fix

To fix the range here, change range(1, n) to range(1, n+1) to ensure that n-offset stays within the range of 0 to n. https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L255

Ссылки

Пакеты

Наименование

picklescan

pip

Затронутые версииВерсия исправления

< 0.0.27

0.0.27

8.9 High

CVSS4

Дефекты

CWE-502

8.9 High

CVSS4

Дефекты

CWE-502