Description
picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable, enabling arbitrary code execution when loaded with torch.load().
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

picklescan before version 1.0.3 contains a flaw in the scan_pytorch function that allows an attacker to embed malicious magic numbers through dynamic evaluation, specifically exploiting the __reduce__ technique. This flaw bypasses picklescan’s detection mechanisms and can result in arbitrary code execution when the crafted payload is later loaded with torch.load(). The vulnerability aligns with CWE‑95, where unsafe use of eval-like functions can execute arbitrary code.

Affected Systems

The affected product is picklescan, and any installation of picklescan prior to version 1.0.3 is vulnerable. No other vendors or product variants are listed. Users running picklescan 1.0.3 or newer are not impacted.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high potential impact, while the EPSS score of less than 1 % suggests a low but non‑zero probability of exploitation in the general ecosystem. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation would require an attacker to supply a malicious PyTorch payload that bypasses picklescan’s scanning and is subsequently loaded by an application that uses torch.load(). The likely attack vector inferred from the description is either local file injection or remote delivery of untrusted serialized data to a system that processes it with picklescan and torch.load().

Generated by OpenCVE AI on June 18, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to version 1.0.3 or later, which contains a fix for the scanning bypass.
  • When patching is not immediately possible, limit the use of torch.load() to trusted data sources only, rejecting or sanitising any payloads that are not generated by the application itself.
  • Prefer using the safetensors format or other non‑eval based serialization mechanisms for loading external PyTorch models, which eliminates the vector for dynamic code execution.

Generated by OpenCVE AI on June 18, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-97f8-7cmv-76j2 Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable, enabling arbitrary code execution when loaded with torch.load().
Title picklescan - Scanning Bypass via Dynamic Eval in scan_pytorch
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-95
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Mmaitre314 Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T17:50:32.410Z

Reserved: 2026-06-10T21:23:54.283Z

Link: CVE-2026-53875

cve-icon Vulnrichment

Updated: 2026-06-17T17:50:18.803Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:45:03Z

Weaknesses
  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')