GHSA-m7j5-r2p5-c39r — MEDIUM AI Security Vulnerability

Q: Is GHSA-m7j5-r2p5-c39r actively exploited?

No confirmed active exploitation of GHSA-m7j5-r2p5-c39r has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-m7j5-r2p5-c39r?

1) Upgrade picklescan to ≥1.0.1 immediately: `pip install --upgrade picklescan`. 2) Run all pickle scanning in an isolated container with a read-only or tmpfs filesystem and restrictive seccomp profile to block file creation regardless of scanner state. 3) Audit scanning hosts for unexpected files — particularly *.lock, maintenance.lock, .lock, .maintenance — and investigate origin. 4) Implement defense-in-depth: prefer safetensors format over pickle for model weights from untrusted sources; pickle should never be loaded without explicit trust. 5) Add filesystem integrity monitoring on scan nodes (inotifywait or auditd) to alert on unexpected file creation events during scan jobs.

Q: What systems are affected by GHSA-m7j5-r2p5-c39r?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, CI/CD ML pipelines, agent frameworks.

Q: What is the CVSS score for GHSA-m7j5-r2p5-c39r?

No CVSS score has been assigned yet.

CISO Take

picklescan — the de-facto tool organizations use to sanitize ML model files before loading — is itself exploitable via the exact threat it guards against. Any pipeline feeding untrusted .pkl files through picklescan (scanning HuggingFace downloads, model submissions, dataset archives) can have arbitrary files created on the scanning host by the files being scanned. Upgrade to picklescan ≥1.0.1 immediately and audit scanner infrastructure for unexpected sentinel files.

Risk Assessment

Medium-High for organizations using picklescan in automated ML pipelines. Exploitability is trivial — a single crafted pickle file triggers the bug passively during scanning with no authentication required. Direct RCE is not achieved (only zero-byte file creation), but the primitive enables reliable DoS via lock-file injection or application logic abuse. Highest exposure is in MLOps CI/CD pipelines that automatically scan third-party model artifacts before loading or registering them.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 1.0.1	`1.0.1`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

1 step

1) Upgrade picklescan to ≥1.0.1 immediately: pip install --upgrade picklescan. 2) Run all pickle scanning in an isolated container with a read-only or tmpfs filesystem and restrictive seccomp profile to block file creation regardless of scanner state. 3) Audit scanning hosts for unexpected files — particularly *.lock, maintenance.lock, .lock, .maintenance — and investigate origin. 4) Implement defense-in-depth: prefer safetensors format over pickle for model weights from untrusted sources; pickle should never be loaded without explicit trust. 5) Add filesystem integrity monitoring on scan nodes (inotifywait or auditd) to alert on unexpected file creation events during scan jobs.

Classification

Supply Chain DoS Code Execution Framework Model Training Data AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - AI risk treatment

NIST AI RMF

MS-2.5 - AI risk and benefit management — supply chain

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-m7j5-r2p5-c39r?

picklescan — the de-facto tool organizations use to sanitize ML model files before loading — is itself exploitable via the exact threat it guards against. Any pipeline feeding untrusted .pkl files through picklescan (scanning HuggingFace downloads, model submissions, dataset archives) can have arbitrary files created on the scanning host by the files being scanned. Upgrade to picklescan ≥1.0.1 immediately and audit scanner infrastructure for unexpected sentinel files.

Is GHSA-m7j5-r2p5-c39r actively exploited?

No confirmed active exploitation of GHSA-m7j5-r2p5-c39r has been reported, but organizations should still patch proactively.

How to fix GHSA-m7j5-r2p5-c39r?

1) Upgrade picklescan to ≥1.0.1 immediately: `pip install --upgrade picklescan`. 2) Run all pickle scanning in an isolated container with a read-only or tmpfs filesystem and restrictive seccomp profile to block file creation regardless of scanner state. 3) Audit scanning hosts for unexpected files — particularly *.lock, maintenance.lock, .lock, .maintenance — and investigate origin. 4) Implement defense-in-depth: prefer safetensors format over pickle for model weights from untrusted sources; pickle should never be loaded without explicit trust. 5) Add filesystem integrity monitoring on scan nodes (inotifywait or auditd) to alert on unexpected file creation events during scan jobs.

What systems are affected by GHSA-m7j5-r2p5-c39r?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, CI/CD ML pipelines, agent frameworks.

What is the CVSS score for GHSA-m7j5-r2p5-c39r?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files. ### Details The application deserializes untrusted pickle data. While RCE keywords may be blocked, the exploit abuses standard library features: logging.FileHandler: The exploit instantiates this class using its default behavior (append mode). Behavior on Existing Files: If the target file already exists, the handler opens it without modifying its content, resulting in no impact to existing data. Behavior on Non-Existent Files: If the target file does not exist, the handler creates a new zero-byte file with the specified name. ### PoC ```python import pickle class WriteFile: def __reduce__(self): from logging import FileHandler return (FileHandler, ('evil.log',)) with open("bypass_write.pkl", "wb") as f: pickle.dump(WriteFile(), f) handler = pickle.loads(pickle.dumps(WriteFile())) ``` <img width="1201" height="140" alt="313e1cfacbe700e27b6875e49808c52a" src="https://github.com/user-attachments/assets/8873bb54-0f98-41aa-8e7c-a38a245ca428" /> ### Impact This primitive can be used for Filesystem Pollution or Logic Disruption. For example, an attacker could create specific "lock files" (e.g., maintenance.lock, .lock) that the application checks for, potentially triggering a Denial of Service (DoS) or preventing the application from starting.

Exploitation Scenario

An adversary uploads a weaponized .pkl file to a public model hub or submits it as a 'contributed model' to an ML project. The victim's CI/CD pipeline automatically runs picklescan to validate the artifact before registering it. During scanning, picklescan deserializes the pickle payload, which instantiates logging.FileHandler and creates a zero-byte maintenance.lock file in the application working directory. On next service restart the application detects the lock file and enters a degraded maintenance mode — or refuses to start entirely — causing a production outage. The attacker achieves reliable DoS with no credentials, no network access beyond file submission, and no malware detectable in the artifact itself since logging.FileHandler is a standard library class.