Pickle Me This: How a 'Safe' Scanner Became an RCE Delivery System
Jan 3, 2026·7 min read·1 visit
Executive Summary (TL;DR)
A security tool named `picklescan`, designed to find dangerous Python pickle files, had a critical command injection flaw. When scanning a ZIP file, it used an unsanitized internal filename to build a shell command, allowing an attacker who controls the filename to achieve remote code execution. The fix was a one-line change to properly quote the filename. Anyone using `picklescan` versions before 1.0.1 should upgrade immediately.
The picklescan library, a tool designed to safely inspect Python pickle files for malicious content without the risks of deserialization, ironically contained a critical command injection vulnerability. By crafting a malicious ZIP archive with a specially named file, an attacker could execute arbitrary commands on the machine running the scan. This vulnerability turns a security tool into a weapon, achieving remote code execution by exploiting the very mechanism meant to provide safety.
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
picklescan mmaitre314 | < 1.0.1 | 1.0.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 |
| CWE Name | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| Attack Vector | Network / File Upload |
| CVSS 3.1 Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact | Remote Code Execution |
| Exploit Status | Proof-of-Concept Available |
| KEV Status | Not Listed |