N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-cffc-mxrf-mhh4

GHSA-cffc-mxrf-mhh4: Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval

Summary

Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files.

Details

The attack payload executes in the following steps:

First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.param_eval function via reduce method.
Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution.

PoC

class RCE:
    def __reduce__(self):
        from numpy.f2py.crackfortran import param_eval
        return (param_eval,("os.system('ls')",None,None,None))

Impact

Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Report by

Pinji Chen (cpj24@mails.tsinghua.edu.cn) from the NISL lab (https://netsec.ccert.edu.cn/about) at Tsinghua University, Guanheng Liu (coolwind326@gmail.com).

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-cffc-mxrf-mhh4

GHSA-cffc-mxrf-mhh4:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.33	0.0.33

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in picklescan's failure to identify malicious functions from the numpy.f2py module within a pickle file. The root cause is an incomplete blocklist of dangerous modules and a flawed submodule check. The patch 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab addresses this by adding "numpy.f2py": "*" to the _unsafe_globals dictionary and refining the submodule checking logic within the _build_scan_result_from_raw_globals function in src/picklescan/scanner.py.

The function _build_scan_result_from_raw_globals is the component that consumes this blocklist to determine the safety of globals found in the pickle file. During a scan of a malicious pickle file (prior to the patch), this function would be called and would consult the incomplete _unsafe_globals list. It would not find an entry for numpy.f2py and therefore would not mark globals from this module (such as numpy.f2py.crackfortran.param_eval mentioned in the advisory) as Dangerous. This failure of detection is the vulnerability. An attacker could craft a pickle file that, when scanned, would be deemed safe, leading a user to load it and execute the embedded remote code.

Therefore, _build_scan_result_from_raw_globals is the key function that would appear in a runtime profile during the scanning phase where the vulnerability is triggered. It is the function containing the logic that fails due to the incomplete blocklist and flawed submodule check.

Vulnerable functions

_build_scan_result_from_raw_globals

src/picklescan/scanner.py

This function is responsible for classifying imported globals from a pickle file as safe, suspicious, or dangerous by checking them against a blocklist (`_unsafe_globals`). The vulnerability was that this blocklist was incomplete and did not include the `numpy.f2py` module. Furthermore, the logic for checking submodules was flawed, only checking the top-level module. An attacker could craft a pickle file using a function like `numpy.f2py.crackfortran.param_eval`. When `picklescan` scanned this file, `_build_scan_result_from_raw_globals` would fail to recognize this function as dangerous, leading to a bypass. The patch fixes this by adding `numpy.f2py` to the blocklist and improving the submodule checking logic within this function.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-cffc-mxrf-mhh4: Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval

Summary

Details

PoC

Impact

Report by

GHSA-cffc-mxrf-mhh4:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-cffc-mxrf-mhh4: Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval

Summary

Details

PoC

Impact

Report by

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI