GHSA-mjqp-26hc-grxg: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check

September 10, 2025

Picklescan’s ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check (CRC). Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results. This allows attackers to potentially hide malicious pickle payloads within ZIP archives that PyTorch might still be able to load (as PyTorch often disables CRC checks).

References

github.com/advisories/GHSA-mjqp-26hc-grxg
github.com/mmaitre314/picklescan
github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5
github.com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg

Code Behaviors & Features

Detect and mitigate GHSA-mjqp-26hc-grxg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →