logo

Database

Server side template injection In picklescan

Description

Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef

Summary

Picklescan uses the numpy.f2py.crackfortran.getlincoef function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.

Details

Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran.getlincoef in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.

PoC

class PoC:
    def __reduce__(self):
        from numpy.f2py.crackfortran import getlincoef
        return getlincoef, ("__import__('os').system('whoami')", None)

Impact

    Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.

    Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.

    Enables supply‑chain poisoning of shared model files.

Credits

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-rrxm-2pvv-m66x2. GCVE-GHSA-rrxm-2pvv-m66x

References

1. https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x2. https://github.com/mmaitre314/picklescan/pull/533. https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab4. https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.