GHSA-9w88-8rmg-7g2p: picklescan scan bypass

Q: Is GHSA-9w88-8rmg-7g2p actively exploited?

No confirmed active exploitation of GHSA-9w88-8rmg-7g2p has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-9w88-8rmg-7g2p?

1. IMMEDIATE: Upgrade picklescan to 0.0.30+ on all systems. 2. Re-scan all pickle/PyTorch model files previously approved by picklescan < 0.0.30, especially those from external sources. 3. ARCHITECTURAL: Migrate model serialization to safetensors format — it does not support arbitrary code execution by design. 4. Add defense-in-depth: run models in sandboxed environments (Docker with no-net, seccomp profiles) even after scan approval. 5. For detection of already-loaded payloads: monitor for unexpected process spawning (os.system, subprocess) from Python ML worker processes. 6. Audit any model ingestion pipeline for single-scanner dependency on picklescan.

Q: What systems are affected by GHSA-9w88-8rmg-7g2p?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML model registries, data science workstations, MLOps CI/CD pipelines.

Q: What is the CVSS score for GHSA-9w88-8rmg-7g2p?

No CVSS score has been assigned yet.

CISO Take

picklescan below 0.0.30 fails to flag pickle files that abuse cProfile.runctx for code execution, giving teams a false-clean signal on malicious PyTorch models. Patch to 0.0.30+ immediately and re-scan any external models accepted based on prior picklescan approvals. Never rely on a single scanner as sole defense for pickle file ingestion — treat it as one layer, not a gate.

What is the risk?

Risk is HIGH for organizations ingesting externally-sourced PyTorch or pickle-based models (HuggingFace, public repos, model marketplaces). Exploitability is trivial — the PoC is 5 lines of Python, requires no special privileges, and executes on pickle.load(). The deceptive element is critical: security teams will see a clean scan and lower their guard. CVSS N/A understates the practical risk for AI-heavy environments where pickle loading is routine. Supply chain exposure multiplies impact significantly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.30	`0.0.30`
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

IMMEDIATE

Upgrade picklescan to 0.0.30+ on all systems.
Re-scan all pickle/PyTorch model files previously approved by picklescan < 0.0.30, especially those from external sources.
ARCHITECTURAL

Migrate model serialization to safetensors format — it does not support arbitrary code execution by design.
Add defense-in-depth: run models in sandboxed environments (Docker with no-net, seccomp profiles) even after scan approval.
For detection of already-loaded payloads: monitor for unexpected process spawning (os.system, subprocess) from Python ML worker processes.
Audit any model ingestion pipeline for single-scanner dependency on picklescan.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 17 - Quality management system — third-party components Art. 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment 8.4 - AI system lifecycle — Supply chain security

NIST AI RMF

GOVERN 1.1 - AI risk policies and procedures MANAGE 2.4 - Mechanisms to sustain AI system integrity

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is GHSA-9w88-8rmg-7g2p?

picklescan below 0.0.30 fails to flag pickle files that abuse cProfile.runctx for code execution, giving teams a false-clean signal on malicious PyTorch models. Patch to 0.0.30+ immediately and re-scan any external models accepted based on prior picklescan approvals. Never rely on a single scanner as sole defense for pickle file ingestion — treat it as one layer, not a gate.

Is GHSA-9w88-8rmg-7g2p actively exploited?

No confirmed active exploitation of GHSA-9w88-8rmg-7g2p has been reported, but organizations should still patch proactively.

How to fix GHSA-9w88-8rmg-7g2p?

1. IMMEDIATE: Upgrade picklescan to 0.0.30+ on all systems. 2. Re-scan all pickle/PyTorch model files previously approved by picklescan < 0.0.30, especially those from external sources. 3. ARCHITECTURAL: Migrate model serialization to safetensors format — it does not support arbitrary code execution by design. 4. Add defense-in-depth: run models in sandboxed environments (Docker with no-net, seccomp profiles) even after scan approval. 5. For detection of already-loaded payloads: monitor for unexpected process spawning (os.system, subprocess) from Python ML worker processes. 6. Audit any model ingestion pipeline for single-scanner dependency on picklescan.

What systems are affected by GHSA-9w88-8rmg-7g2p?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML model registries, data science workstations, MLOps CI/CD pipelines.

What is the CVSS score for GHSA-9w88-8rmg-7g2p?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML model registriesdata science workstationsMLOps CI/CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0074 Masquerading

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 17, Art. 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN 1.1, MANAGE 2.4

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

### Summary Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to cProfile.runctx function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` import cProfile class EvilCProfileRunctx: def __reduce__(self): # cProfile.runctx(cmd, globals, locals) -> exec(cmd, ...) return cProfile.runctx, ("__import__('os').system('whoami')", None, None) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Corresponding https://github.com/FredericDT https://github.com/Qhaoduoyu

Exploitation Scenario

An attacker publishes a seemingly legitimate PyTorch sentiment analysis model on HuggingFace. The model file contains an EvilCProfileRunctx payload embedded in the pickle using cProfile.runctx to execute a reverse shell. A security-conscious ML team runs picklescan before loading any external models — the scan returns clean. They load the model in their GPU training server, triggering RCE. The attacker now has a shell in the ML infrastructure with access to training data, model weights, API keys stored in environment variables, and potentially cloud credentials. The entire compromise is silent — no scanner alert, no anomalous file detected.