GHSA-vqmv-47xg-9wpr — HIGH AI Security Vulnerability

CISO Take

Update picklescan to v0.0.33 immediately — any model file previously cleared by picklescan should be treated as untrusted and re-scanned. This bypass creates a critical false-negative gap: your security scanner gives a clean bill of health while a shell spawns on model load. If your ML pipeline loads third-party or user-supplied pickle-based models (PyTorch .pkl/.pth), assume you may have loaded malicious code undetected.

Risk Assessment

HIGH. The vulnerability is a complete bypass of a widely-deployed ML security control, not just a weakness in the model itself. Organizations that use picklescan as their primary or sole gate against malicious model files have zero effective protection against this technique. The `pty.spawn` gadget is trivially embeddable; the PoC is public; and exploitation requires no elevated privileges — only the ability to distribute or serve a crafted pickle file. The false-negative result actively increases risk by conferring unwarranted trust.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.33	`0.0.33`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

6 steps

PATCH

Upgrade picklescan to >= 0.0.33 across all environments (pip install --upgrade picklescan).
RE-SCAN: Re-validate all model files previously cleared by older versions — treat prior scan results as unreliable.
DEFENSE-IN-DEPTH: Do not rely solely on picklescan; implement sandboxed model loading (isolated container/VM with no network and minimal filesystem access).
MIGRATE FORMAT

Prefer SafeTensors over pickle-based formats for model storage and distribution; enforce this in your model ingestion policy.
DETECT

Monitor for unexpected subprocess spawning (especially /bin/sh, pty) from Python processes that handle model loading. Alert on outbound connections from model-loading workers.
GOVERNANCE

Enforce model provenance controls — only load signed models from trusted registries; block loading of arbitrary community models in production.

Classification

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.5 - AI supply chain security A.6.2 - AI system supply chain A.9.4 - Information security in AI system acquisition and maintenance

NIST AI RMF

GOVERN 6.1 - AI supply chain risk management GOVERN 6.2 - AI risk is monitored across the supply chain MANAGE 2.2 - Mechanisms to sustain risk response are in place MEASURE 2.5 - AI risk and impact assessment

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-vqmv-47xg-9wpr?

Update picklescan to v0.0.33 immediately — any model file previously cleared by picklescan should be treated as untrusted and re-scanned. This bypass creates a critical false-negative gap: your security scanner gives a clean bill of health while a shell spawns on model load. If your ML pipeline loads third-party or user-supplied pickle-based models (PyTorch .pkl/.pth), assume you may have loaded malicious code undetected.

Is GHSA-vqmv-47xg-9wpr actively exploited?

No confirmed active exploitation of GHSA-vqmv-47xg-9wpr has been reported, but organizations should still patch proactively.

How to fix GHSA-vqmv-47xg-9wpr?

1. PATCH: Upgrade picklescan to >= 0.0.33 across all environments (pip install --upgrade picklescan). 2. RE-SCAN: Re-validate all model files previously cleared by older versions — treat prior scan results as unreliable. 3. DEFENSE-IN-DEPTH: Do not rely solely on picklescan; implement sandboxed model loading (isolated container/VM with no network and minimal filesystem access). 4. MIGRATE FORMAT: Prefer SafeTensors over pickle-based formats for model storage and distribution; enforce this in your model ingestion policy. 5. DETECT: Monitor for unexpected subprocess spawning (especially /bin/sh, pty) from Python processes that handle model loading. Alert on outbound connections from model-loading workers. 6. GOVERNANCE: Enforce model provenance controls — only load signed models from trusted registries; block loading of arbitrary community models in production.

What systems are affected by GHSA-vqmv-47xg-9wpr?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps model registries, CI/CD model validation pipelines, model import/export workflows.

What is the CVSS score for GHSA-vqmv-47xg-9wpr?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to `pty.spawn` function in the `__reduce__` method. Then the victim attempts to use picklescan to scan the pickle file for issues and sees this - ``` ----------- SCAN SUMMARY ----------- Scanned files: 1 Infected files: 0 Dangerous globals: 0 ``` The victim proceeds to load the pickle file and execute attacker-injected arbitrary code. ### PoC ``` class PtyExploit: def __reduce__(self): return (pty.spawn, (["/bin/sh", "-c", "id; exit"],)) ``` ### Impact **Who is impacted?** Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. **What is the impact?** Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. **Supply Chain Attack**: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects. ### Collaborators https://github.com/ajohnston9 https://github.com/geo-lit

Exploitation Scenario

An adversary uploads a weaponized PyTorch model to a public model hub or sends it via a targeted supply chain vector (e.g., a pull request to an internal model repository). The victim's MLOps pipeline runs picklescan on the file as a security gate — it returns 'Infected files: 0'. The model passes validation and is deployed to a model serving endpoint. When the serving process loads the model with `torch.load()`, `__reduce__` fires `pty.spawn(['/bin/sh', '-c', '...'])`, executing an attacker-controlled command. From there, the adversary can exfiltrate cloud credentials from the instance metadata service, establish persistence, or pivot laterally to the training data store or secrets manager.