GHSA-46h3-79wf-xr6c: picklescan RCE: The "Secure Pickle" Myth and the _operator Bypass

CVSS Score: 9.8 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-46h3-79wf-xr6c

Summary

A critical bypass in the picklescan security scanner allowing remote code execution via the Python C-implementation module '_operator'.

TL;DR

picklescan, a tool designed to detect malicious Python pickles, failed to block the C-based _operator module. By using _operator.attrgetter instead of the blocked operator.attrgetter, attackers can bypass the scanner and achieve full RCE on systems attempting to verify untrusted serialized data.

Exploit Status: POC

Technical Details

• CWE: CWE-502 (Deserialization of Untrusted Data)
• CVSS: 9.8 (Critical)
• Attack Vector: Network / Local (via File)
• Impact: Remote Code Execution (RCE)
• Key Component: _operator (Python C-Module)
• Exploit Status: PoC Available

Affected Systems

• picklescan < 0.0.34
• ML pipelines using picklescan
• Model repositories validating PyTorch files
• picklescan: < 0.0.34 (Fixed in: 0.0.34)

Mitigation

• Update picklescan to v0.0.34+
• Migrate from Pickle to Safetensors or ONNX
• Sandboxing deserialization processes

Remediation Steps:

1. Run pip install --upgrade picklescan
2. Audit all pipelines accepting serialized data for 'pickle' usage
3. Verify that picklescan is part of a defense-in-depth strategy, not the sole control

References

• GitHub Advisory GHSA-46h3-79wf-xr6c
• Python Operator Module Documentation

---

Generated by CVEReports - Automated Vulnerability Intelligence