Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references. Original Description An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner …
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references. Original Description A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of …
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgw4-cr84-mqxg. This link is maintained to preserve external references. Original Description An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe …
Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check (CRC). Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results. This allows attackers to potentially hide malicious pickle payloads within ZIP archives that PyTorch might still be able to load (as PyTorch often …
The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.
Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would …
Using torch.utils.bottleneck.main.run_autograd_prof function, which is a pytorch library function to execute remote pickle file.
Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file.
Using lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle file.
Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file.
Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle file.
Using idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file.
Using ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file.
Using doctest.debug_script function, which is a built-in python library function to execute remote pickle file.
Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file.
Using cProfile.run function, which is a built-in python library function to execute remote pickle file.
Using trace.Trace.runctx, which is a built-in python library function to execute remote pickle file.
Using trace.Trace.run, which is a built-in python library function to execute remote pickle file.
Using profile.Profile.runctx, which is a built-in python library function to execute remote pickle file.
Using profile.Profile.run, which is a built-in python library function to execute remote pickle file.
Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file.
Using lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file.
Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file.
Using idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file.
Using idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file.
Using idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file.
Using code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file.
Using torch.utils.data.datapipes.utils.decoder.basichandlers function, which is a pytorch library function to execute remote pickle file.
Using torch.utils.collect_env.run function, which is a pytorch library function to execute remote pickle file.
Using torch.utils.bottleneck.main.run_cprofile function, which is a pytorch library function to execute remote pickle file.
Using torch.utils._config_module.load_config function, which is a pytorch library function to execute remote pickle file.
Using torch.jit.unsupported_tensor_ops.execWrapper function, which is a pytorch library function to execute remote pickle file.
Using torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function, which is a pytorch library function to execute remote pickle file.
Using torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file.
Detection bypass in both picklescan and modelscan. Note that it also affects the online hugging face pickle scanners, making the malicious pickle file bypass the detection.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-93mv-x874-956g. This link is maintained to preserve external references. Original Description The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.
Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.
Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.
Using timeit.timeit() function, which is a built-in python library function to execute remote pickle file.
An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited by import some built-in function in Numpy library that indrectly call some dangerous function like exec() to execute some python code as a parameter, which the attacker can import dangerous library inside like os library and execute arbitrary OS commands.
PickleScan fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.
PickleScan is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w8jq-xcqf-f792. This link is maintained to preserve external references. Original Description picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully …
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7q5r-7gvp-wc82. This link is maintained to preserve external references. Original Description picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make …
Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.
Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to its reliance on file extensions for detection. This allows an attacker to embed a secondary, malicious pickle file with a non-standard extension inside a model archive, which remains undetected by picklescan but is still loaded by PyTorch's torch.load() function. This can lead to arbitrary code execution when the model is loaded.
An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited to run pip install and fetch a malicious package, enabling remote code execution (RCE) upon package installation.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references. Original Description picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via pip.main(). Because pip is not a restricted global, the model, …
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-769v-p64c-89pr. This link is maintained to preserve external references. Original Description picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as …