GHSA-m273-6v24-x4m4 — HIGH AI Security Vulnerability

Q: Is GHSA-m273-6v24-x4m4 actively exploited?

No confirmed active exploitation of GHSA-m273-6v24-x4m4 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-m273-6v24-x4m4?

1) Upgrade picklescan to 0.0.33 immediately: pip install --upgrade picklescan. 2) If immediate patching is blocked, add 'distutils' to your custom blocklist config as a temporary workaround. 3) Audit file modification logs for unexpected writes to sensitive paths (authorized_keys, web configs, app source dirs) from Python processes during the vulnerable window. 4) Apply defense-in-depth regardless of patch status: treat pickle files as untrusted executables; prefer safetensors or ONNX for model distribution wherever possible. 5) Detection: alert on Python processes writing to /root/.ssh/, /home/*/.ssh/, web server config dirs, or application source directories.

Q: What systems are affected by GHSA-m273-6v24-x4m4?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, MLOps CI/CD pipelines.

Q: What is the CVSS score for GHSA-m273-6v24-x4m4?

No CVSS score has been assigned yet.

CISO Take

Picklescan, the de facto security gate for ML pipelines against malicious pickle files, has a trivial bypass via Python's built-in distutils module — meaning any organization running picklescan < 0.0.33 has a false sense of protection. Malicious models crafted with distutils payloads pass scanning clean and can overwrite SSH authorized_keys, web configs, or source code on load, escalating to full RCE. Patch to 0.0.33 immediately and audit all pickle files ingested while running the vulnerable version.

Risk Assessment

HIGH. Exploitability is trivial — the PoC is under 15 lines of standard Python, requiring zero AI/ML expertise or special tooling. Impact is severe: arbitrary file write enables overwriting of SSH keys, web server configs, or application source, with a clear RCE escalation path. Exposure is broad given picklescan's adoption across MLOps pipelines, model registries, and CI/CD security gates. The vulnerability does not require network access — it fires at model load time, inside the trusted perimeter.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.33	`0.0.33`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

1 step

1) Upgrade picklescan to 0.0.33 immediately: pip install --upgrade picklescan. 2) If immediate patching is blocked, add 'distutils' to your custom blocklist config as a temporary workaround. 3) Audit file modification logs for unexpected writes to sensitive paths (authorized_keys, web configs, app source dirs) from Python processes during the vulnerable window. 4) Apply defense-in-depth regardless of patch status: treat pickle files as untrusted executables; prefer safetensors or ONNX for model distribution wherever possible. 5) Detection: alert on Python processes writing to /root/.ssh/, /home/*/.ssh/, web server config dirs, or application source directories.

Classification

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.2 - AI System Security Controls

NIST AI RMF

MANAGE 2.2 - AI Risk Treatments — Incident Response and Recovery

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is GHSA-m273-6v24-x4m4?

Picklescan, the de facto security gate for ML pipelines against malicious pickle files, has a trivial bypass via Python's built-in distutils module — meaning any organization running picklescan < 0.0.33 has a false sense of protection. Malicious models crafted with distutils payloads pass scanning clean and can overwrite SSH authorized_keys, web configs, or source code on load, escalating to full RCE. Patch to 0.0.33 immediately and audit all pickle files ingested while running the vulnerable version.

Is GHSA-m273-6v24-x4m4 actively exploited?

No confirmed active exploitation of GHSA-m273-6v24-x4m4 has been reported, but organizations should still patch proactively.

How to fix GHSA-m273-6v24-x4m4?

1) Upgrade picklescan to 0.0.33 immediately: pip install --upgrade picklescan. 2) If immediate patching is blocked, add 'distutils' to your custom blocklist config as a temporary workaround. 3) Audit file modification logs for unexpected writes to sensitive paths (authorized_keys, web configs, app source dirs) from Python processes during the vulnerable window. 4) Apply defense-in-depth regardless of patch status: treat pickle files as untrusted executables; prefer safetensors or ONNX for model distribution wherever possible. 5) Detection: alert on Python processes writing to /root/.ssh/, /home/*/.ssh/, web server config dirs, or application source directories.

What systems are affected by GHSA-m273-6v24-x4m4?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, MLOps CI/CD pipelines.

What is the CVSS score for GHSA-m273-6v24-x4m4?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Picklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files. ### Details This is another vulnerability which impacts the downstream user. By constructing a pickle that user distutils.file_util.write_file, an attacker can overwrite critical system files (like .ssh/authorized_keys, web server configurations, or source code) to achieve DoS or escalate to RCE. ### PoC ```python import pickle import distutils.file_util class FileWriteBypass: def __reduce__(self): target_file = "pwned_config.env" content = ["print('I have overwritten your config')"] return (distutils.file_util.write_file, (target_file, content)) payload = pickle.dumps(FileWriteBypass()) with open("bypass_filewrite.pkl", "wb") as f: f.write(payload) print("bypass_filewrite.pkl") ``` <img width="853" height="197" alt="image" src="https://github.com/user-attachments/assets/a129f5aa-a050-4e88-adb7-5a6f93e35b65" /> To fix this just add disutil to the blacklist

Exploitation Scenario

An adversary publishes a malicious model (e.g., fine-tuned-llm.pkl) to a public model hub or compromises a private model registry entry. The model contains a distutils.file_util.write_file payload targeting /root/.ssh/authorized_keys, inserting the attacker's public SSH key. The victim's MLOps CI/CD pipeline scans the model with picklescan < 0.0.33 — scan returns clean, model is promoted to the registry. On the next training run or inference server startup, the payload fires silently during model deserialization, writes the SSH key, and establishes persistent root access to the ML host. No post-exploitation tooling required; the initial foothold is fully established through the model file alone.