N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rrxm-2pvv-m66x

GHSA-rrxm-2pvv-m66x: Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef

Summary

Picklescan uses the numpy.f2py.crackfortran.getlincoef function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.

Details

Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran.getlincoef in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.

PoC

class PoC:
    def __reduce__(self):
        from numpy.f2py.crackfortran import getlincoef
        return getlincoef, ("__import__('os').system('whoami')", None)

Impact

Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
Enables supply‑chain poisoning of shared model files.

Credits

ac0d3r
Tong Liu, Institute of information engineering, CAS

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-rrxm-2pvv-m66x

GHSA-rrxm-2pvv-m66x:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 0.0.33	0.0.33

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in picklescan (GHSA-rrxm-2pvv-m66x) stems from a failure to detect a remote code execution gadget using the numpy.f2py.crackfortran.getlincoef function. The root cause is twofold:

Incomplete Blocklist: The _unsafe_globals dictionary in src/picklescan/scanner.py was missing an entry for the numpy.f2py module, which contains multiple unsafe functions, including getlincoef.
Flawed Submodule Checking: The function _build_scan_result_from_raw_globals had a defective logic for checking modules. It only checked if the top-level parent module (e.g., numpy) was blocklisted, but did not check intermediate parent modules (e.g., numpy.f2py).

The patch addresses both issues. It adds "numpy.f2py": "*" to the _unsafe_globals list. More importantly, it modifies _build_scan_result_from_raw_globals to iterate through all parent modules of a given global, ensuring that if any parent is blocklisted with a wildcard, the global is correctly flagged as dangerous.

The primary vulnerable function is _build_scan_result_from_raw_globals because it contains the faulty detection logic. The user-facing functions scan_pickle_bytes and scan_pickle_file are also included as they are the entry points that process the malicious input and would have produced the incorrect 'safe' result prior to the patch.

Vulnerable functions

_build_scan_result_from_raw_globals

src/picklescan/scanner.py

This function contains the core logic for determining if a global is safe or unsafe. The vulnerability lies in its flawed logic for checking submodules. The original implementation only checked the top-level module against the blocklist. The patch introduces a loop to check all parent modules, which correctly identifies dangerous submodules like `numpy.f2py.crackfortran` when a parent like `numpy.f2py` is blocklisted.

scan_pickle_bytes

src/picklescan/scanner.py

This is a primary entry point for the scanner. It takes raw bytes of a pickle file as input. A user would call this function to scan a potentially malicious pickle. Due to the flaw in the underlying detection logic, this function would have incorrectly reported a malicious pickle containing the `numpy.f2py.crackfortran.getlincoef` gadget as safe.

scan_pickle_file

src/picklescan/scanner.py

This is a primary entry point for the scanner. It takes a path to a pickle file as input. A user would call this function to scan a potentially malicious pickle. Due to the flaw in the underlying detection logic, this function would have incorrectly reported a malicious pickle containing the `numpy.f2py.crackfortran.getlincoef` gadget as safe.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-rrxm-2pvv-m66x: Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef

Summary

Details

PoC

Impact

Credits

GHSA-rrxm-2pvv-m66x:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-rrxm-2pvv-m66x: Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef

Summary

Details

PoC

Impact

Credits

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI