N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-7cq8-mj8x-j263

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-7cq8-mj8x-j263

GHSA-7cq8-mj8x-j263: Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions

Summary

Using idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to idlelib.autocomplete.AutoComplete.fetch_completions function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

class EvilIdlelibAutocompleteFetchCompletions:
    def __reduce__(self):
        from idlelib.autocomplete import AutoComplete, ATTRS
        return AutoComplete().fetch_completions, ("__import__('os').system('whoami')", ATTRS)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-7cq8-mj8x-j263

GHSA-7cq8-mj8x-j263:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-7cq8-mj8x-j263

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.29	0.0.29

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a missing detection in the picklescan library. The library is designed to scan pickle files for potentially malicious code but failed to recognize idlelib.autocomplete.AutoComplete.fetch_completions as a dangerous function. The proof-of-concept demonstrates that this function can be used to execute arbitrary commands by crafting a special __reduce__ method in a class, which is then serialized into a pickle file.

The provided patch aecd11be98702caa9ba9b12189d91ad596a36114 directly addresses this issue by adding "idlelib.autocomplete": {"AutoComplete.get_entity", "AutoComplete.fetch_completions"} to the denylist in src/picklescan/scanner.py. This ensures that any future scans will correctly identify pickle files attempting to use this function.

When a victim loads the malicious pickle file, the AutoComplete.fetch_completions function is called, which would appear in a runtime profile or stack trace. Therefore, this function is the key indicator of exploitation for this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-7cq8-mj8x-j263: Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions

Summary

Details

PoC

Impact

Corresponding

GHSA-7cq8-mj8x-j263:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-7cq8-mj8x-j263: Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions

Summary

Details

PoC

Impact

Corresponding

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI