Impact
picklescan before 0.0.29 does not detect the built‑in Python trace.Trace.runctx function when it is used inside pickle-file reduce methods, enabling attackers to embed arbitrary code that will execute when an attacker-controlled pickle file is loaded. This flaw allows remote code execution through unrestricted deserialization and is categorized as CWE‑693: Security Misconfiguration.
Affected Systems
All versions of the picklescan tool released before 0.0.29 are affected. The vendor is picklescan (project name picklescan) and the product impacted is the picklescan application. No specific patch versions beyond 0.0.29 are listed, so any release earlier than that is considered vulnerable.
Risk and Exploitability
The CVSS base score of 7.6 indicates a high severity vulnerability. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the flaw can be exploited remotely by delivering a malicious pickle file that contains a trace.Trace.runctx payload. An attacker does not need special privileges; any system that processes untrusted pickle data with picklescan is at risk.
OpenCVE Enrichment