Impact
picklescan versions prior to 0.0.28 contain an insecure deserialization flaw that fails to detect malicious pickle files using the torch._dynamo.guards.GuardBuilder.get function in reduce methods. Attackers can embed arbitrary code within these pickles, which is executed when the file is loaded, allowing complete control over the process running picklescan. The weakness is classified as CWE-502, indicating an insecure deserialization vulnerability capable of granting remote code execution.
Affected Systems
The affected product is picklescan (picklescan). All releases before 0.0.28 are vulnerable; version 0.0.28 or later includes the fix that properly validates and rejects malicious pickle payloads. Users deploying picklescan in any environment where untrusted pickle data may be processed are impacted.
Risk and Exploitability
The CVSS score of 7.6 indicates a high severity, but the EPSS score of 0.003 suggests a low probability of exploitation while still being non-zero. The vulnerability is not listed in CISA KEV, indicating no known widespread exploitation yet. Based on the description, the likely attack vector is via submission of a crafted pickle file into any context where picklescan loads data, such as file uploads, network services, or local scripts that deserialize user input. If successful, an attacker can execute arbitrary commands on the host running picklescan.
OpenCVE Enrichment