The vulnerability in picklescan (GHSA-rrxm-2pvv-m66x) stems from a failure to detect a remote code execution gadget using the numpy.f2py.crackfortran.getlincoef function. The root cause is twofold:
Incomplete Blocklist: The _unsafe_globals dictionary in src/picklescan/scanner.py was missing an entry for the numpy.f2py module, which contains multiple unsafe functions, including getlincoef.
Flawed Submodule Checking: The function _build_scan_result_from_raw_globals had a defective logic for checking modules. It only checked if the top-level parent module (e.g., numpy) was blocklisted, but did not check intermediate parent modules (e.g., numpy.f2py).
The patch addresses both issues. It adds "numpy.f2py": "*" to the _unsafe_globals list. More importantly, it modifies _build_scan_result_from_raw_globals to iterate through all parent modules of a given global, ensuring that if any parent is blocklisted with a wildcard, the global is correctly flagged as dangerous.
The primary vulnerable function is _build_scan_result_from_raw_globals because it contains the faulty detection logic. The user-facing functions scan_pickle_bytes and scan_pickle_file are also included as they are the entry points that process the malicious input and would have produced the incorrect 'safe' result prior to the patch.
_build_scan_result_from_raw_globalssrc/picklescan/scanner.py
scan_pickle_bytessrc/picklescan/scanner.py
scan_pickle_filesrc/picklescan/scanner.py
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| picklescan | pip | < 0.0.33 | 0.0.33 |