GHSA-84R2-JW7C-4R5Q
9.8
Pickle Me This: How a 'Safe' Scanner Became an RCE Delivery System
Amit Schendel
Senior Security ResearcherJan 3, 2026·7 min read·3 visits
PoC Available
Executive Summary (TL;DR)
A security tool named `picklescan`, designed to find dangerous Python pickle files, had a critical command injection flaw. When scanning a ZIP file, it used an unsanitized internal filename to build a shell command, allowing an attacker who controls the filename to achieve remote code execution. The fix was a one-line change to properly quote the filename. Anyone using `picklescan` versions before 1.0.1 should upgrade immediately.
The picklescan library, a tool designed to safely inspect Python pickle files for malicious content without the risks of deserialization, ironically contained a critical command injection vulnerability. By crafting a malicious ZIP archive with a specially named file, an attacker could execute arbitrary commands on the machine running the scan. This vulnerability turns a security tool into a weapon, achieving remote code execution by exploiting the very mechanism meant to provide safety.
Fix Analysis (1)
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Python applications and services that use the picklescan library versions prior to 1.0.1 to scan ZIP archives.
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
picklescan mmaitre314 | < 1.0.1 | 1.0.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-78 |
| CWE Name | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| Attack Vector | Network / File Upload |
| CVSS 3.1 Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact | Remote Code Execution |
| Exploit Status | Proof-of-Concept Available |
| KEV Status | Not Listed |
MITRE ATT&CK Mapping
CWE-78
Improper Neutralization of Special Elements used in a Command ('Command Injection')