CVE-2025-10157: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
(updated )
The vulnerability allows malicious actors to bypass PickleScan’s unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan’s strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.
References
- github.com/advisories/GHSA-f7qq-56ww-84cr
- github.com/mmaitre314/picklescan
- github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py
- github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5
- github.com/mmaitre314/picklescan/pull/50
- github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr
- huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl
- nvd.nist.gov/vuln/detail/CVE-2025-10157
Code Behaviors & Features
Detect and mitigate CVE-2025-10157 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →