Advisories for Pypi/Picklescan package

Using torch.utils.bottleneck.main.run_autograd_prof function, which is a pytorch library function to execute remote pickle file.

Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file.

Using lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle file.

Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file.

Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle file.

Using idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file.

Using ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file.

Using doctest.debug_script function, which is a built-in python library function to execute remote pickle file.

Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file.

Using cProfile.run function, which is a built-in python library function to execute remote pickle file.

Using trace.Trace.runctx, which is a built-in python library function to execute remote pickle file.

Using trace.Trace.run, which is a built-in python library function to execute remote pickle file.

Using profile.Profile.runctx, which is a built-in python library function to execute remote pickle file.

Using profile.Profile.run, which is a built-in python library function to execute remote pickle file.

Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file.

Using lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file.

Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file.

Using idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file.

Using idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file.

Using idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file.

Using code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file.

Using torch.utils.data.datapipes.utils.decoder.basichandlers function, which is a pytorch library function to execute remote pickle file.

Using torch.utils.collect_env.run function, which is a pytorch library function to execute remote pickle file.

Using torch.utils.bottleneck.main.run_cprofile function, which is a pytorch library function to execute remote pickle file.

Using torch.utils._config_module.load_config function, which is a pytorch library function to execute remote pickle file.

Using torch.jit.unsupported_tensor_ops.execWrapper function, which is a pytorch library function to execute remote pickle file.

Using torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function, which is a pytorch library function to execute remote pickle file.

Using torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file.

Detection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-93mv-x874-956g. This link is maintained to preserve external references. Original Description The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.

Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.

Using timeit.timeit() function, which is a built-in python library function to execute remote pickle file.

An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited by import some built-in function in Numpy library that indrectly call some dangerous function like exec() to execute some python code as a parameter, which the attacker can import dangerous library inside like os library and execute arbitrary OS commands.

PickleScan fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

PickleScan is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w8jq-xcqf-f792. This link is maintained to preserve external references. Original Description picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7q5r-7gvp-wc82. This link is maintained to preserve external references. Original Description picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make …

Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.

Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.

An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited to run pip install and fetch a malicious package, enabling remote code execution (RCE) upon package installation.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references. Original Description picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via pip.main(). Because pip is not a restricted global, the model, …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-769v-p64c-89pr. This link is maintained to preserve external references. Original Description picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as …