GHSA-955R-X9J8-7RHH
9.3
Pickle Me Pwned: Bypassing Picklescan with a C-Module Blind Spot
Amit Schendel
Senior Security ResearcherJan 3, 2026·6 min read·0 visits
PoC Available
Executive Summary (TL;DR)
Picklescan, a security scanner for Python pickle files, had a blind spot. It didn't check for dangerous functions in the C-optimized `_operator` module. This allowed attackers to craft malicious pickles that bypassed the scan and achieved Remote Code Execution. Update to version 0.0.34 immediately.
The Picklescan library, a tool designed to detect malicious Python pickle files, contained a critical vulnerability allowing for Remote Code Execution (RCE). The flaw stemmed from an incomplete blacklist that failed to account for dangerous functions within Python's C-optimized `_operator` module. Attackers could craft a pickle payload using `_operator.methodcaller` or `_operator.attrgetter` to bypass Picklescan's checks, leading to arbitrary command execution when the seemingly 'safe' file was deserialized by a victim application.
Fix Analysis (1)
Technical Appendix
CVSS Score
9.3/ 10
Affected Systems
picklescan
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
picklescan mmaitre314 | < 0.0.34 | 0.0.34 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-502 |
| Weakness | Deserialization of Untrusted Data |
| Attack Vector | Network / File |
| CVSSv3.1 Score | 9.3 (Critical) |
| Impact | Remote Code Execution |
| Exploit Status | Proof-of-Concept Available |
| KEV Status | Not Listed |
MITRE ATT&CK Mapping
CWE-502
Deserialization of Untrusted Data
The software deserializes untrusted data without sufficiently verifying that the resulting data will be valid, leading to arbitrary code execution.
Known Exploits & Detection
Vulnerability Timeline
Fix was committed to the 'picklescan' repository.
2025-12-27
GitHub security advisory GHSA-955r-x9j8-7rhh was published.
2025-12-30