GHSA-f7qq-56ww-84cr

Опубликовано: 10 сент. 2025

Источник: github

Github: Прошло ревью

CVSS4: 9.3

CVSS3: 8.3

Описание

Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

Summary

The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.

PoC

Download a model that uses the asyncio package:

wget https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl

Check with PickleScan: picklescan -p asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl -g

Expected Result:

PickleScan should identify all asyncio import as dangerous and flag the pickle file as malicious as asyncio is in _unsafe_globals dictionary.

Actual Result: Screenshot 2025-06-29 at 14 13 38

PickleScan marked the import as Suspicious, failing to identify it as a dangerous import.

Impact

Severity: High Affected Users: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content. Impact Details: Attackers can craft malicious PyTorch models containing embedded pickle payloads, package them into ZIP archives, and bypass the PickleScan check by using subclasses of dangerous imports. This could lead to arbitrary code execution on the user's system when these malicious files are processed or loaded.

Recommendations:

Replace: https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309C9-L309C54

unsafe_filter = _unsafe_globals.get(g.module)

by:

matched_key = None if imported_global.module: for key_in_globals in unsafe_globals.keys(): # Check if imported_global.module starts with the key_in_globals AND # (it's the first match OR this key is more specific than the previous match) # AND imported_global.module is exactly the key or imported_global.module is key + '.' + something if imported_global.module.startswith(key_in_globals): if (imported_global.module == key_in_globals or # Exact match (len(imported_global.module) > len(key_in_globals) and imported_global.module[len(key_in_globals)] == '.')): # Submodule match if matched_key is None or len(key_in_globals) > len(matched_key): matched_key = key_in_globals if matched_key: unsafe_filter = unsafe_globals[matched_key]

Ссылки

Пакеты

Наименование

picklescan

pip

Затронутые версииВерсия исправления

<= 0.0.30

0.0.31

EPSS

Процентиль: 42%

0.00197

Низкий

9.3 Critical

CVSS4

8.3 High

CVSS3

CVE ID

CVE-2025-10157

Дефекты

CWE-693

Связанные уязвимости

CVE-2025-10157

CVSS3: 7.8

nvd

5 месяцев назад

A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.

BDU:2025-15288

CVSS3: 9.8

fstec

7 месяцев назад

Уязвимость сканера безопасности для анализа файлов Pickle Python Picklescan, связанная с нарушением механизма защиты данных, позволяющая нарушителю обойти ограничения безопасности и выполнить произвольный код

EPSS

Процентиль: 42%

0.00197

Низкий

9.3 Critical

CVSS4

8.3 High

CVSS3

CVE ID

CVE-2025-10157

Дефекты

CWE-693