logo

Database

Server side template injection In picklescan

Description

Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length

Summary

Picklescan uses the numpy.f2py.crackfortran._eval_length function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.

Details

Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran._eval_length in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.

PoC

class PoC:
    def __reduce__(self):
        from numpy.f2py.crackfortran import _eval_length
        return _eval_length, ("__import__('os').system('whoami')", None)

Impact

    Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.

    Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.

    Enables supply‑chain poisoning of shared model files.

Credits

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-6556-fwc2-fg2p2. GCVE-GHSA-6556-fwc2-fg2p

References

1. https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p2. https://github.com/mmaitre314/picklescan/pull/533. https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab4. https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.