The vulnerability is a missing detection in the picklescan library. The library is designed to scan pickle files for potentially malicious code but failed to recognize idlelib.autocomplete.AutoComplete.fetch_completions as a dangerous function. The proof-of-concept demonstrates that this function can be used to execute arbitrary commands by crafting a special __reduce__ method in a class, which is then serialized into a pickle file.
The provided patch aecd11be98702caa9ba9b12189d91ad596a36114 directly addresses this issue by adding "idlelib.autocomplete": {"AutoComplete.get_entity", "AutoComplete.fetch_completions"} to the denylist in src/picklescan/scanner.py. This ensures that any future scans will correctly identify pickle files attempting to use this function.
When a victim loads the malicious pickle file, the AutoComplete.fetch_completions function is called, which would appear in a runtime profile or stack trace. Therefore, this function is the key indicator of exploitation for this vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| picklescan | pip | < 0.0.29 | 0.0.29 |
Ongoing coverage of React2Shell