GHSA-jgw4-cr84-mqxg: Picklescan Bypass is Possible via File Extension Mismatch

September 10, 2025

Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.

References

github.com/advisories/GHSA-jgw4-cr84-mqxg
github.com/mmaitre314/picklescan
github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5
github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg

Code Behaviors & Features

Detect and mitigate GHSA-jgw4-cr84-mqxg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →