N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-8r4j-24qv-fmq9

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-8r4j-24qv-fmq9

GHSA-8r4j-24qv-fmq9: Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip

Summary

Using idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to idlelib.calltip.Calltip.fetch_tip function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

class EvilCalltipFetchTip:
    def __reduce__(self):
        from idlelib.calltip import Calltip
        # fetch_tip(expression) -> get_entity(expression) -> eval(expression)
        return Calltip().fetch_tip, ("__import__('os').system('whoami')",)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-8r4j-24qv-fmq9

GHSA-8r4j-24qv-fmq9:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-8r4j-24qv-fmq9

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.29	0.0.29

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core of the vulnerability is a detection bypass in the picklescan library. The tool works by scanning pickle files for a denylist of known dangerous functions. The advisory GHSA-8r4j-24qv-fmq9 revealed that picklescan was not flagging the use of idlelib.calltip.Calltip.fetch_tip, a function in Python's standard library that can be abused to execute arbitrary code. The commit aecd11be98702caa9ba9b12189d91ad596a36114 patches this vulnerability. The analysis of the commit shows that the fix involves updating the dangerous_globals dictionary in src/picklescan/scanner.py to include "idlelib.calltip": {"Calltip.fetch_tip", "get_entity"}. This change ensures that any pickle file attempting to use these functions will be correctly identified as malicious. When an exploit for this picklescan vulnerability is triggered (i.e., a malicious pickle is loaded by a victim), the functions idlelib.calltip.Calltip.fetch_tip or idlelib.calltip.get_entity would appear in the runtime profile or stack trace, as they are the functions being executed to achieve the attacker's goal.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-8r4j-24qv-fmq9: Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip

Summary

Details

PoC

Impact

Corresponding

GHSA-8r4j-24qv-fmq9:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-8r4j-24qv-fmq9: Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip

Summary

Details

PoC

Impact

Corresponding

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI