GHSA-vv6j-3g6g-2pvj: Picklescan missing detection when calling pytorch function torch.utils._config_module.load_config

The vulnerability, GHSA-vv6j-3g6g-2pvj, is a bypass in the picklescan library's detection mechanism. The library is designed to identify potentially malicious code within Python pickle files, which are often used for serializing and deserializing Python object structures, particularly in machine learning models. The root cause of this vulnerability is an incomplete denylist of dangerous functions. Specifically, the torch.utils._config_module.load_config function, which can be abused to load and execute arbitrary code from a nested pickle, was not included in picklescan's list of unsafe functions (_unsafe_globals).

An attacker could craft a malicious pickle file that, when loaded, calls this torch function to execute arbitrary code. When a user of a vulnerable picklescan version scans this file, the library would not flag it as malicious, giving a false sense of security. The user would then proceed to load the pickle file, leading to remote code execution.

The patch for this vulnerability, found in commit 7f994d62084fe43f1cffdef2f9bae6923344ef53, directly addresses this issue by adding torch.utils._config_module.ConfigModule.load_config to the _unsafe_globals dictionary in src/picklescan/scanner.py. This ensures that any future scans will correctly identify pickle files attempting to use this function as dangerous.

The functions picklescan.scanner.scan_pickle_bytes and its helper picklescan.scanner._build_scan_result_from_raw_globals are the key functions that would appear in a runtime profile during the scanning process. They are considered "vulnerable" in the sense that they contained the flawed logic (i.e., referencing an incomplete denylist) that led to the security bypass. For a security engineer, this means that any environment using picklescan versions prior to 0.0.28 for validating pickle files, especially those from untrusted sources, is at risk and should be updated immediately.