-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe security vulnerability in picklescan (GHSA-h3qp-7fh3-f8h4) is a detection bypass vulnerability. An attacker could craft a malicious pickle file that uses the torch.utils.data.datapipes.utils.decoder.basichandlers function to execute arbitrary code. The picklescan tool failed to identify this function as dangerous, thus incorrectly reporting the malicious file as safe.
The root cause of this vulnerability is an incomplete blocklist of dangerous functions. The patch rectifies this by adding torch.utils.data.datapipes.utils.decoder.basichandlers to the _unsafe_globals dictionary in src/picklescan/scanner.py.
The primary vulnerable function is picklescan.scanner._build_scan_result_from_raw_globals, which is responsible for checking the extracted globals against the blocklist. Due to the missing entry, this function would not flag the malicious global. The function picklescan.scanner._list_globals is also identified as a vulnerable function as it is responsible for parsing the pickle file and extracting the globals, directly processing the malicious input.
An engineer with this CVE in their environment should understand that any version of picklescan prior to 0.0.28 is vulnerable and will not detect this specific attack vector. Updating to the patched version is critical to ensure that pickle files using this malicious technique are correctly identified.
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| picklescan | pip | <= 0.0.27 | 0.0.28 |
Ongoing coverage of React2Shell