AI Threat Alert

GHSA-86cj-95qr-2p4f: picklescan: detection bypass enables PyTorch model RCE

GHSA-86cj-95qr-2p4f MEDIUM
Published August 22, 2025
CISO Take

If your ML pipeline uses picklescan to vet PyTorch model files before loading, your security control is broken — attackers can craft pickle files that pass the scan and execute arbitrary OS commands on load. Upgrade picklescan to 0.0.28 immediately and treat any model file validated with <=0.0.27 as untrusted. This is a false-negative in your defense layer, not a PyTorch bug — the exploitability is trivial with a public PoC.

What is the risk?

Effective risk is higher than the medium CVSS suggests. The vulnerability lives in a security control (picklescan), so organizations relying on it have a false sense of safety. The PoC is public, the exploit is trivial to reproduce, and the payload bypasses the only commonly-used pickle safety scanner in ML workflows. Any org with a model intake process that accepts external files and validates with picklescan is directly exposed. Impact is full RCE on the model-loading host.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
picklescan pip <= 0.0.27 0.0.28
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

1 step

  1. 1) Upgrade picklescan to 0.0.28 immediately in all environments — this is the patch. 2) Audit all model files scanned with picklescan <=0.0.27 since 2025-08-22 and treat them as potentially compromised. 3) Implement defense-in-depth: do not rely on any single scanner; load untrusted models in sandboxed/ephemeral environments with no network or filesystem access. 4) Prefer safetensors over pickle for model serialization — it eliminates the entire attack class. 5) Add SIEM rule: alert on torch._dynamo.guards appearing in pickle files or scan logs. 6) For model registries: re-scan all cached models with the patched version.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0058 AML.T0074 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk assessment A.8.3 - AI system integrity
NIST AI RMF
GOVERN 1.7 - Processes for AI risk management MANAGE 2.2 - Mechanisms to sustain treatment of identified AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-86cj-95qr-2p4f?

If your ML pipeline uses picklescan to vet PyTorch model files before loading, your security control is broken — attackers can craft pickle files that pass the scan and execute arbitrary OS commands on load. Upgrade picklescan to 0.0.28 immediately and treat any model file validated with <=0.0.27 as untrusted. This is a false-negative in your defense layer, not a PyTorch bug — the exploitability is trivial with a public PoC.

Is GHSA-86cj-95qr-2p4f actively exploited?

No confirmed active exploitation of GHSA-86cj-95qr-2p4f has been reported, but organizations should still patch proactively.

How to fix GHSA-86cj-95qr-2p4f?

1) Upgrade picklescan to 0.0.28 immediately in all environments — this is the patch. 2) Audit all model files scanned with picklescan <=0.0.27 since 2025-08-22 and treat them as potentially compromised. 3) Implement defense-in-depth: do not rely on any single scanner; load untrusted models in sandboxed/ephemeral environments with no network or filesystem access. 4) Prefer safetensors over pickle for model serialization — it eliminates the entire attack class. 5) Add SIEM rule: alert on `torch._dynamo.guards` appearing in pickle files or scan logs. 6) For model registries: re-scan all cached models with the patched version.

What systems are affected by GHSA-86cj-95qr-2p4f?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps model registries, CI/CD model validation pipelines, supply chain / model distribution.

What is the CVSS score for GHSA-86cj-95qr-2p4f?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps model registriesCI/CD model validation pipelinessupply chain / model distribution

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0058 Publish Poisoned Models
AML.T0074 Masquerading
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2, A.8.3
NIST AI RMF: GOVERN 1.7, MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

### Summary Using torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to torch._dynamo.guards.GuardBuilder.get function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` import types import torch._dynamo.guards as guards class EvilTorchDynamoGuardsGet: def __reduce__(self): fake_self = types.SimpleNamespace(scope={}) name = "__import__('os').system('whoami')" return guards.GuardBuilder.get, (fake_self, name) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Corresponding https://github.com/FredericDT https://github.com/Qhaoduoyu

Exploitation Scenario

An adversary targets an MLOps team that accepts community-contributed models. They publish a seemingly legitimate PyTorch model (e.g., a fine-tuned LLM adapter) to Hugging Face or a private registry. The model file contains a crafted `__reduce__` that invokes `torch._dynamo.guards.GuardBuilder.get` with an embedded shell command. The victim's intake pipeline runs picklescan on the file, receives a clean result, and promotes the model to staging. On first inference load, the malicious `__reduce__` executes — establishing a reverse shell or exfiltrating cloud credentials from the serving environment.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.

References

Timeline

Published
August 22, 2025
Last Modified
August 22, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-3490 10.0

picklescan: blocklist bypass enables full RCE

Same package: picklescan
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same package: picklescan
CRITICAL GHSA-g38g-8gr9-h9xp 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL CVE-2025-1945 9.8

picklescan: ZIP flag bypass enables RCE in PyTorch models

Same package: picklescan
CRITICAL GHSA-7wx9-6375-f5wh 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
Back to Threat Feed