Описание
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef
Summary
Picklescan uses the numpy.f2py.crackfortran.getlincoef function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.
Details
Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran.getlincoef in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.
PoC
class PoC:
def __reduce__(self):
from numpy.f2py.crackfortran import getlincoef
return getlincoef, ("__import__('os').system('whoami')", None)
Impact
- Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
- Enables supply‑chain poisoning of shared model files.
Credits
Пакеты
Наименование
picklescan
pip
Затронутые версииВерсия исправления
< 0.0.33
0.0.33
8.2 High
CVSS4
Дефекты
CWE-502
CWE-94
8.2 High
CVSS4
Дефекты
CWE-502
CWE-94