GHSA-6556-fwc2-fg2p: picklescan Code Injection

Q: Is GHSA-6556-fwc2-fg2p actively exploited?

No confirmed active exploitation of GHSA-6556-fwc2-fg2p has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-6556-fwc2-fg2p?

1. IMMEDIATE: Upgrade picklescan to 0.0.33 in all environments (pip install --upgrade picklescan). 2. AUDIT: Re-scan any model files previously cleared by picklescan < 0.0.33 in shared repos or model registries, treating prior clean verdicts as unverified. 3. ARCHITECTURE: Migrate model exchange to SafeTensors format (safe by design, no code execution on load) — enforce this for all externally-sourced models. 4. DEFENSE-IN-DEPTH: Load untrusted models in isolated sandboxes (containers with no network, restricted filesystem) even after scanning. 5. DETECTION: Alert on picklescan versions < 0.0.33 in dependency manifests via SCA tooling. Monitor for suspicious process spawning from model-loading services (e.g., whoami, curl, sh from Python processes). 6. VERIFY SUPPLY CHAIN: Require cryptographic signing for models ingested from external sources; verify hashes against trusted upstream sources before loading.

Q: What systems are affected by GHSA-6556-fwc2-fg2p?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps CI/CD pipelines, model registries, data science notebook environments.

Q: What is the CVSS score for GHSA-6556-fwc2-fg2p?

No CVSS score has been assigned yet.

CISO Take

Picklescan, a widely-used security gate for vetting pickle/PyTorch model files, can be bypassed using a numpy gadget chain — meaning files your pipeline marks 'safe' can still execute arbitrary code on load. Update picklescan to 0.0.33 immediately and audit any model files scanned with prior versions in shared repositories. Treat picklescan as one layer, not the only layer: adopt SafeTensors format for model exchange and sandbox model loading.

What is the risk?

Effective severity is HIGH despite the CVSS medium label. The vulnerability negates a dedicated security control rather than introducing a new one, creating a false sense of security that is arguably more dangerous than having no scanner. Exploitability is straightforward — the PoC is public and trivially reproducible by anyone with basic Python knowledge. Exposure is broad: any MLOps team that adopted picklescan (recommended by Hugging Face, PyTorch ecosystem) to gate model ingestion is affected. Impact is full code execution on the machine loading the artifact, which in CI/CD or training infrastructure typically means privileged access to secrets, model weights, and downstream systems.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.33	`0.0.33`
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

IMMEDIATE

Upgrade picklescan to 0.0.33 in all environments (pip install --upgrade picklescan).
AUDIT

Re-scan any model files previously cleared by picklescan < 0.0.33 in shared repos or model registries, treating prior clean verdicts as unverified.
ARCHITECTURE

Migrate model exchange to SafeTensors format (safe by design, no code execution on load) — enforce this for all externally-sourced models.
DEFENSE-IN-DEPTH: Load untrusted models in isolated sandboxes (containers with no network, restricted filesystem) even after scanning.
DETECTION

Alert on picklescan versions < 0.0.33 in dependency manifests via SCA tooling. Monitor for suspicious process spawning from model-loading services (e.g., whoami, curl, sh from Python processes).
VERIFY SUPPLY CHAIN

Require cryptographic signing for models ingested from external sources; verify hashes against trusted upstream sources before loading.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10 - Third-party and supplier relationships A.10.1 - Supply chain security for AI systems A.9.3 - Security of AI system inputs

NIST AI RMF

GOVERN-1.7 - AI risks and benefits are communicated and managed across the supply chain MANAGE 2.2 - Treatment of AI risks including third-party and supply chain risks MANAGE-2.4 - Mechanisms for detecting and responding to AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-6556-fwc2-fg2p?

Picklescan, a widely-used security gate for vetting pickle/PyTorch model files, can be bypassed using a numpy gadget chain — meaning files your pipeline marks 'safe' can still execute arbitrary code on load. Update picklescan to 0.0.33 immediately and audit any model files scanned with prior versions in shared repositories. Treat picklescan as one layer, not the only layer: adopt SafeTensors format for model exchange and sandbox model loading.

Is GHSA-6556-fwc2-fg2p actively exploited?

No confirmed active exploitation of GHSA-6556-fwc2-fg2p has been reported, but organizations should still patch proactively.

How to fix GHSA-6556-fwc2-fg2p?

1. IMMEDIATE: Upgrade picklescan to 0.0.33 in all environments (pip install --upgrade picklescan). 2. AUDIT: Re-scan any model files previously cleared by picklescan < 0.0.33 in shared repos or model registries, treating prior clean verdicts as unverified. 3. ARCHITECTURE: Migrate model exchange to SafeTensors format (safe by design, no code execution on load) — enforce this for all externally-sourced models. 4. DEFENSE-IN-DEPTH: Load untrusted models in isolated sandboxes (containers with no network, restricted filesystem) even after scanning. 5. DETECTION: Alert on picklescan versions < 0.0.33 in dependency manifests via SCA tooling. Monitor for suspicious process spawning from model-loading services (e.g., whoami, curl, sh from Python processes). 6. VERIFY SUPPLY CHAIN: Require cryptographic signing for models ingested from external sources; verify hashes against trusted upstream sources before loading.

What systems are affected by GHSA-6556-fwc2-fg2p?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps CI/CD pipelines, model registries, data science notebook environments.

What is the CVSS score for GHSA-6556-fwc2-fg2p?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps CI/CD pipelinesmodel registriesdata science notebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0074 Masquerading

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art.15, Article 15, Article 9

ISO 42001: A.10, A.10.1, A.9.3

NIST AI RMF: GOVERN-1.7, MANAGE 2.2, MANAGE-2.4

OWASP LLM Top 10: LLM03:2025, LLM05:2025

What are the technical details?

Original Advisory

### Summary Picklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling. ### Details Picklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran._eval_length` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution. ### PoC ```python class PoC: def __reduce__(self): from numpy.f2py.crackfortran import _eval_length return _eval_length, ("__import__('os').system('whoami')", None) ``` ### Impact - Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file. - Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts. - Enables supply‑chain poisoning of shared model files. ### Credits - [ac0d3r](https://github.com/ac0d3r) - [Tong Liu](https://lyutoon.github.io), Institute of information engineering, CAS

Exploitation Scenario

An adversary targets an organization's ML pipeline that uses picklescan to vet community models before loading. The attacker clones a legitimate popular model repository on Hugging Face, adds a malicious pytorch_model.bin crafted with the numpy _eval_length gadget (establishing a reverse shell or exfiltrating cloud credentials), and submits it as a 'model update' or mirrors it under a typosquatted repository name. The victim's ingestion pipeline runs picklescan, receives a clean verdict, and loads the model during training or inference. The gadget executes silently, granting the adversary shell access to the training infrastructure — which typically holds cloud IAM credentials, proprietary training data, and access to production serving endpoints.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.