N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5qwp-399c-mjwf

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5qwp-399c-mjwf

GHSA-5qwp-399c-mjwf: Picklescan has a missing detection when calling built-in python trace.Trace.run

Summary

Using trace.Trace.run, which is a built-in python library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to trace.Trace.run function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

class EvilTraceRun:
    def __reduce__(self):
        from trace import Trace
        payload = "__import__('os').system('whoami')"
        return Trace.run, (Trace(), payload)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5qwp-399c-mjwf

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.29	0.0.29

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability GHSA-5qwp-399c-mjwf describes a missing detection in picklescan for the built-in Python function trace.Trace.run. The provided commit aecd11be98702caa9ba9b12189d91ad596a36114 directly addresses this issue.

The analysis of the commit shows modifications to src/picklescan/scanner.py, where a dictionary named dangerous_globals is maintained. This dictionary serves as a denylist for functions and modules that are considered unsafe to be present in a pickle file.

The patch adds a new entry for the trace module: "trace": {"Trace.run", "Trace.runctx"}. This indicates that prior to this patch, picklescan was not checking for the usage of Trace.run or Trace.runctx, allowing a specially crafted pickle file to execute arbitrary code using these functions, as demonstrated in the vulnerability's Proof of Concept.

Therefore, the vulnerable functions are the ones that were missing from the detection list. During an exploit, a call to trace.Trace.run (or trace.Trace.runctx) would appear in the runtime profile. The vulnerability itself is the omission in picklescan's scanner logic, which is fixed by explicitly adding these functions to the list of dangerous globals.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Usin* tr***.Tr***.run, w*i** is * *uilt-in pyt*on li*r*ry *un*tion to *x**ut* r*mot* pi*kl* *il*. ### **t*ils T** *tt**k p*ylo** *x**ut*s in t** *ollowin* st*ps: *irst, t** *tt**k*r *r**t t** p*ylo** *y **llin* to tr***.Tr***.run *un*

Reasoning

T** vuln*r**ility **S*-*qwp-****-mjw* **s*ri**s * missin* **t**tion in pi*kl*s**n *or t** *uilt-in Pyt*on *un*tion `tr***.Tr***.run`. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is issu*. T** *n*lysis o* t** *

N/A

Basic Information

Concerned about an active attack path?

GHSA-5qwp-399c-mjwf: Picklescan has a missing detection when calling built-in python trace.Trace.run

Summary

Details

PoC

Impact

Corresponding

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI