AI Threat Alert
picklescan — the de-facto tool organizations use to sanitize ML model files before loading — is itself exploitable via the exact threat it guards against. Any pipeline feeding untrusted .pkl files through picklescan (scanning HuggingFace downloads, model submissions, dataset archives) can have arbitrary files created on the scanning host by the files being scanned. Upgrade to picklescan ≥1.0.1 immediately and audit scanner infrastructure for unexpected sentinel files.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| picklescan | pip | < 1.0.1 | 1.0.1 |
Do you use picklescan? You're affected.
Severity & Risk
Recommended Action
- 1) Upgrade picklescan to ≥1.0.1 immediately: `pip install --upgrade picklescan`. 2) Run all pickle scanning in an isolated container with a read-only or tmpfs filesystem and restrictive seccomp profile to block file creation regardless of scanner state. 3) Audit scanning hosts for unexpected files — particularly *.lock, maintenance.lock, .lock, .maintenance — and investigate origin. 4) Implement defense-in-depth: prefer safetensors format over pickle for model weights from untrusted sources; pickle should never be loaded without explicit trust. 5) Add filesystem integrity monitoring on scan nodes (inotifywait or auditd) to alert on unexpected file creation events during scan jobs.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
### Summary Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files. ### Details The application deserializes untrusted pickle data. While RCE keywords may be blocked, the exploit abuses standard library features: logging.FileHandler: The exploit instantiates this class using its default behavior (append mode). Behavior on Existing Files: If the target file already exists, the handler opens it without modifying its content, resulting in no impact to existing data. Behavior on Non-Existent Files: If the target file does not exist, the handler creates a new zero-byte file with the specified name. ### PoC ```python import pickle class WriteFile: def __reduce__(self): from logging import FileHandler return (FileHandler, ('evil.log',)) with open("bypass_write.pkl", "wb") as f: pickle.dump(WriteFile(), f) handler = pickle.loads(pickle.dumps(WriteFile())) ``` <img width="1201" height="140" alt="313e1cfacbe700e27b6875e49808c52a" src="https://github.com/user-attachments/assets/8873bb54-0f98-41aa-8e7c-a38a245ca428" /> ### Impact This primitive can be used for Filesystem Pollution or Logic Disruption. For example, an attacker could create specific "lock files" (e.g., maintenance.lock, .lock) that the application checks for, potentially triggering a Denial of Service (DoS) or preventing the application from starting.
Exploitation Scenario
An adversary uploads a weaponized .pkl file to a public model hub or submits it as a 'contributed model' to an ML project. The victim's CI/CD pipeline automatically runs picklescan to validate the artifact before registering it. During scanning, picklescan deserializes the pickle payload, which instantiates logging.FileHandler and creates a zero-byte maintenance.lock file in the application working directory. On next service restart the application detects the lock file and enters a degraded maintenance mode — or refuses to start entirely — causing a production outage. The attacker achieves reliable DoS with no credentials, no network access beyond file submission, and no malware detectable in the artifact itself since logging.FileHandler is a standard library class.