-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| picklescan | pip | < 0.0.33 | 0.0.33 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in picklescan's failure to detect malicious code within pickle files that use functions from the numpy.f2py module, specifically numpy.f2py.crackfortran.myeval. The analysis of the patch commit 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab reveals the root cause and the fix.
The patch modifies src/picklescan/scanner.py in two key ways:
"numpy.f2py": "*" to the _unsafe_globals dictionary. This dictionary serves as a denylist, and this addition marks all functions within the numpy.f2py module and its submodules as dangerous._build_scan_result_from_raw_globals function. This function processes the globals extracted from a pickle file to determine their safety. The patch refines the logic to correctly identify a function as dangerous if any of its parent modules are on the denylist.Prior to the patch, _build_scan_result_from_raw_globals would not have flagged numpy.f2py.crackfortran.myeval because numpy.f2py was not on the denylist, and the submodule check was less comprehensive. Therefore, _build_scan_result_from_raw_globals is the function containing the vulnerable logic. When picklescan analyzes a malicious pickle file, this function is called and, in vulnerable versions, fails to identify the threat, leading to a false sense of security.
_build_scan_result_from_raw_globalssrc/picklescan/scanner.py