N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j343-8v2j-ff7w

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-j343-8v2j-ff7w

GHSA-j343-8v2j-ff7w: Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand

Summary

Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to idlelib.pyshell.ModifiedInterpreter.runcommand function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

from idlelib.pyshell import ModifiedInterpreter
from types import SimpleNamespace

class EvilIdlelibPyshellModifiedInterpreterRuncommand:
    def __reduce__(self):
        payload = "__import__('os').system('whoami')"
        fake_self = SimpleNamespace(
            locals={},
            tkconsole=SimpleNamespace(executing=False),
            rpcclt=None,
            debugger=None
        )
        return ModifiedInterpreter.runcommand, (fake_self, payload)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j343-8v2j-ff7w

EPSS Score

CWE

Published

8/26/2025

Updated

8/26/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.30	0.0.30

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability GHSA-j343-8v2j-ff7w exists in the picklescan library because it failed to identify idlelib.pyshell.ModifiedInterpreter.runcommand as a potentially dangerous function when scanning pickle files. The vulnerability is not a flaw in a function written by the picklescan authors, but rather a sin of omission in its threat detection logic.

The exploit PoC demonstrates that an attacker can create a class with a __reduce__ method that returns ModifiedInterpreter.runcommand and a command to be executed. When an application using a vulnerable version of picklescan scans this malicious pickle, it will be deemed safe. However, when this pickle is subsequently loaded (e.g., via pickle.load()), the runcommand function is executed, resulting in arbitrary code execution on the victim's machine.

The provided patch, commit 1931c2d04eaca8d20597705ff39cab78ba364e4b, rectifies this vulnerability. The core of the fix is in src/picklescan/scanner.py, where the dangerous_globals dictionary is updated to include "idlelib.pyshell": {"ModifiedInterpreter.runcode", "ModifiedInterpreter.runcommand"}. This ensures that any pickle file attempting to use this function will be correctly identified as dangerous.

Therefore, the function idlelib.pyshell.ModifiedInterpreter.runcommand is the one that would appear in a runtime profile or stack trace during the actual exploitation phase (i.e., when the malicious pickle is loaded), making it the key indicator of this vulnerability being triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Usin* i*l*li*.pys**ll.Mo*i*i**Int*rpr*t*r.run*omm*n* *un*tion, w*i** is * *uilt-in pyt*on li*r*ry *un*tion to *x**ut* r*mot* pi*kl* *il*. ### **t*ils T** *tt**k p*ylo** *x**ut*s in t** *ollowin* st*ps: *irst, t** *tt**k*r *r**t t** p*

Reasoning

T** s**urity vuln*r**ility **S*-j***-*v*j-***w *xists in t** `pi*kl*s**n` li*r*ry ****us* it **il** to i**nti*y `i*l*li*.pys**ll.Mo*i*i**Int*rpr*t*r.run*omm*n*` *s * pot*nti*lly **n**rous *un*tion w**n s**nnin* pi*kl* *il*s. T** vuln*r**ility is not

N/A

Basic Information

Concerned about an active attack path?

GHSA-j343-8v2j-ff7w: Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand

Summary

Details

PoC

Impact

Corresponding

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI