AI Threat Alert AI Threat Alert

GHSA-6556-fwc2-fg2p: picklescan: Code Injection enables RCE

GHSA-6556-fwc2-fg2p MEDIUM
Published December 30, 2025
CISO Take

Picklescan, a widely-used security gate for vetting pickle/PyTorch model files, can be bypassed using a numpy gadget chain — meaning files your pipeline marks 'safe' can still execute arbitrary code on load. Update picklescan to 0.0.33 immediately and audit any model files scanned with prior versions in shared repositories. Treat picklescan as one layer, not the only layer: adopt SafeTensors format for model exchange and sandbox model loading.

Risk Assessment

Effective severity is HIGH despite the CVSS medium label. The vulnerability negates a dedicated security control rather than introducing a new one, creating a false sense of security that is arguably more dangerous than having no scanner. Exploitability is straightforward — the PoC is public and trivially reproducible by anyone with basic Python knowledge. Exposure is broad: any MLOps team that adopted picklescan (recommended by Hugging Face, PyTorch ecosystem) to gate model ingestion is affected. Impact is full code execution on the machine loading the artifact, which in CI/CD or training infrastructure typically means privileged access to secrets, model weights, and downstream systems.

Affected Systems

Package Ecosystem Vulnerable Range Patched
picklescan pip < 0.0.33 0.0.33
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

6 steps

  1. IMMEDIATE

    Upgrade picklescan to 0.0.33 in all environments (pip install --upgrade picklescan).

  2. AUDIT

    Re-scan any model files previously cleared by picklescan < 0.0.33 in shared repos or model registries, treating prior clean verdicts as unverified.

  3. ARCHITECTURE

    Migrate model exchange to SafeTensors format (safe by design, no code execution on load) — enforce this for all externally-sourced models.

  4. DEFENSE-IN-DEPTH: Load untrusted models in isolated sandboxes (containers with no network, restricted filesystem) even after scanning.

  5. DETECTION

    Alert on picklescan versions < 0.0.33 in dependency manifests via SCA tooling. Monitor for suspicious process spawning from model-loading services (e.g., whoami, curl, sh from Python processes).

  6. VERIFY SUPPLY CHAIN

    Require cryptographic signing for models ingested from external sources; verify hashes against trusted upstream sources before loading.

Classification

Supply Chain Code Execution Framework Model AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0058 AML.T0074 AML.T0107

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.10 - Third-party and supplier relationships A.10.1 - Supply chain security for AI systems A.9.3 - Security of AI system inputs
NIST AI RMF
GOVERN-1.7 - AI risks and benefits are communicated and managed across the supply chain MANAGE 2.2 - Treatment of AI risks including third-party and supply chain risks MANAGE-2.4 - Mechanisms for detecting and responding to AI risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-6556-fwc2-fg2p?

Picklescan, a widely-used security gate for vetting pickle/PyTorch model files, can be bypassed using a numpy gadget chain — meaning files your pipeline marks 'safe' can still execute arbitrary code on load. Update picklescan to 0.0.33 immediately and audit any model files scanned with prior versions in shared repositories. Treat picklescan as one layer, not the only layer: adopt SafeTensors format for model exchange and sandbox model loading.

Is GHSA-6556-fwc2-fg2p actively exploited?

No confirmed active exploitation of GHSA-6556-fwc2-fg2p has been reported, but organizations should still patch proactively.

How to fix GHSA-6556-fwc2-fg2p?

1. IMMEDIATE: Upgrade picklescan to 0.0.33 in all environments (pip install --upgrade picklescan). 2. AUDIT: Re-scan any model files previously cleared by picklescan < 0.0.33 in shared repos or model registries, treating prior clean verdicts as unverified. 3. ARCHITECTURE: Migrate model exchange to SafeTensors format (safe by design, no code execution on load) — enforce this for all externally-sourced models. 4. DEFENSE-IN-DEPTH: Load untrusted models in isolated sandboxes (containers with no network, restricted filesystem) even after scanning. 5. DETECTION: Alert on picklescan versions < 0.0.33 in dependency manifests via SCA tooling. Monitor for suspicious process spawning from model-loading services (e.g., whoami, curl, sh from Python processes). 6. VERIFY SUPPLY CHAIN: Require cryptographic signing for models ingested from external sources; verify hashes against trusted upstream sources before loading.

What systems are affected by GHSA-6556-fwc2-fg2p?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps CI/CD pipelines, model registries, data science notebook environments.

What is the CVSS score for GHSA-6556-fwc2-fg2p?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Picklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. ### Details Picklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran._eval_length` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution. ### PoC ```python class PoC: def __reduce__(self): from numpy.f2py.crackfortran import _eval_length return _eval_length, ("__import__('os').system('whoami')", None) ``` ### Impact - Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file. - Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts. - Enables supply‑chain poisoning of shared model files. ### Credits - [ac0d3r](https://github.com/ac0d3r) - [Tong Liu](https://lyutoon.github.io), Institute of information engineering, CAS

Exploitation Scenario

An adversary targets an organization's ML pipeline that uses picklescan to vet community models before loading. The attacker clones a legitimate popular model repository on Hugging Face, adds a malicious pytorch_model.bin crafted with the numpy _eval_length gadget (establishing a reverse shell or exfiltrating cloud credentials), and submits it as a 'model update' or mirrors it under a typosquatted repository name. The victim's ingestion pipeline runs picklescan, receives a clean verdict, and loads the model during training or inference. The gadget executes silently, granting the adversary shell access to the training infrastructure — which typically holds cloud IAM credentials, proprietary training data, and access to production serving endpoints.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

References

Timeline

Published
December 30, 2025
Last Modified
December 30, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same package: picklescan
CRITICAL GHSA-g38g-8gr9-h9xp 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL GHSA-7wx9-6375-f5wh 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL CVE-2025-1945 9.8

picklescan: ZIP flag bypass enables RCE in PyTorch models

Same package: picklescan
HIGH GHSA-hgrh-qx5j-jfwx 8.8

picklescan: Protection Bypass circumvents security controls

Same package: picklescan
Back to Threat Feed