AI Threat Alert
picklescan — the de-facto ML model safety scanner — has a scanner bypass that allows malicious pickle files to pass as clean while executing arbitrary code on load. Any pipeline using picklescan < 0.0.33 as a security gate is providing a false sense of security, which is worse than no gate at all. Patch to v0.0.33 immediately and re-scan every model file previously cleared by older versions.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| picklescan | pip | < 0.0.33 | 0.0.33 |
Do you use picklescan? You're affected.
Severity & Risk
Recommended Action
- 1. Patch: Update picklescan to >= 0.0.33 immediately across all environments. 2. Re-scan: Retroactively re-validate all model files previously cleared by older picklescan versions — treat prior results as untrusted. 3. Migrate format: Where possible, switch PyTorch model storage to safetensors — eliminates the pickle deserialization attack surface entirely. 4. Defense-in-depth: Never rely on a single scanner as the sole control; add sandboxed model loading (isolated containers with no network access and restricted syscalls). 5. Detection: Alert on anomalous child process spawning from ML worker processes and unusual network connections originating from model loading jobs.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
### Summary Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.param_eval function via reduce method. - Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution. ### PoC ``` class RCE: def __reduce__(self): from numpy.f2py.crackfortran import param_eval return (param_eval,("os.system('ls')",None,None,None)) ``` ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Report by Pinji Chen (cpj24@mails.tsinghua.edu.cn) from the NISL lab (https://netsec.ccert.edu.cn/about) at Tsinghua University, Guanheng Liu (coolwind326@gmail.com).
Exploitation Scenario
An adversary targets an organization's ML model supply chain. They craft a malicious PyTorch .pkl file using numpy.f2py.crackfortran.param_eval as the __reduce__ callable — a function not on picklescan's blocklist. The file is uploaded to a public model registry (e.g., HuggingFace Hub) as a legitimate-looking fine-tuned model. The victim organization's automated pipeline downloads and scans it with picklescan — scan returns clean. Trusting the result, the pipeline calls pickle.load() and the payload executes: a reverse shell, credential harvester, or persistent backdoor planted in the training environment. From there, the adversary pivots to exfiltrate proprietary training data or poison downstream model artifacts.