GHSA-5qwp-399c-mjwf — MEDIUM AI Security Vulnerability

CISO Take

picklescan is used as a security gate before loading pickle-based ML models (PyTorch, scikit-learn, etc.) — this bypass turns that gate into a false sense of security. Upgrade to picklescan 0.0.29 immediately; any model scanned with older versions should be considered untrusted. This directly enables supply chain attacks via public model hubs like HuggingFace.

Risk Assessment

Effective risk is HIGH despite the medium CVSS rating. The vulnerability targets a security control itself — bypassing picklescan gives attackers a reliable path to RCE that teams will not detect via their standard model validation workflow. Organizations that treat a passing picklescan result as a security clearance are fully exposed. Exploitability is moderate (requires knowledge of Python pickle internals and trace module), but a working PoC is public.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.29	`0.0.29`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

6 steps

PATCH

Upgrade picklescan to >= 0.0.29 on all systems immediately.
AUDIT

Re-scan all pickle-based models currently in use or in your model registry with the patched version.
LAYERED DEFENSE

Do not rely solely on picklescan. Add network egress monitoring, run model loading in sandboxed environments (containers with no credential access), and restrict pickle loading to explicitly allowlisted sources.
MIGRATE

Adopt SafeTensors format for model storage where possible — it eliminates pickle deserialization risk entirely.
DETECT

Alert on unexpected outbound network calls or process spawning during model load/inference initialization. Monitor for trace.Trace.run calls in model loading contexts.
SUPPLY CHAIN

Pin model artifact hashes and verify signatures from trusted registries; do not load models from unverified sources even after scanning.

Classification

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI supply chain A.9.3 - AI system security

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI supply chain risk MANAGE 2.2 - Mechanisms to sustain deployed AI effectiveness

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-5qwp-399c-mjwf?

picklescan is used as a security gate before loading pickle-based ML models (PyTorch, scikit-learn, etc.) — this bypass turns that gate into a false sense of security. Upgrade to picklescan 0.0.29 immediately; any model scanned with older versions should be considered untrusted. This directly enables supply chain attacks via public model hubs like HuggingFace.

Is GHSA-5qwp-399c-mjwf actively exploited?

No confirmed active exploitation of GHSA-5qwp-399c-mjwf has been reported, but organizations should still patch proactively.

How to fix GHSA-5qwp-399c-mjwf?

1. PATCH: Upgrade picklescan to >= 0.0.29 on all systems immediately. 2. AUDIT: Re-scan all pickle-based models currently in use or in your model registry with the patched version. 3. LAYERED DEFENSE: Do not rely solely on picklescan. Add network egress monitoring, run model loading in sandboxed environments (containers with no credential access), and restrict pickle loading to explicitly allowlisted sources. 4. MIGRATE: Adopt SafeTensors format for model storage where possible — it eliminates pickle deserialization risk entirely. 5. DETECT: Alert on unexpected outbound network calls or process spawning during model load/inference initialization. Monitor for `trace.Trace.run` calls in model loading contexts. 6. SUPPLY CHAIN: Pin model artifact hashes and verify signatures from trusted registries; do not load models from unverified sources even after scanning.

What systems are affected by GHSA-5qwp-399c-mjwf?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, model registries, MLOps pipelines, ML/AI development environments.

What is the CVSS score for GHSA-5qwp-399c-mjwf?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Using trace.Trace.run, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to trace.Trace.run function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` class EvilTraceRun: def __reduce__(self): from trace import Trace payload = "__import__('os').system('whoami')" return Trace.run, (Trace(), payload) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Corresponding https://github.com/FredericDT https://github.com/Qhaoduoyu

Exploitation Scenario

An attacker crafts a malicious PyTorch model file (.pt or .pkl) embedding a `__reduce__` method that calls `trace.Trace.run` with an arbitrary Python expression — such as a reverse shell or credential exfiltration command. The attacker publishes this model to HuggingFace, an internal model registry, or distributes it through a compromised CI/CD artifact store. A security-conscious ML engineer scans the file with picklescan (< 0.0.29) before loading — the scan returns clean. The engineer loads the model during a training run or inference deployment; the payload executes in the context of the ML worker with whatever IAM permissions, cloud credentials, or network access that process holds. In a cloud training environment, this could yield access to S3 buckets containing training data, Kubernetes service account tokens, or lateral movement into the broader cloud environment.