GHSA-rrxm-2pvv-m66x
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef
Details
### Summary
Picklescan uses the `numpy.f2py.crackfortran.getlincoef` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.
### Details
Picklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran.getlincoef` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.
### PoC ```python class PoC: def __reduce__(self): from numpy.f2py.crackfortran import getlincoef return getlincoef, ("__import__('os').system('whoami')", None) ```
### Impact
- Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file. - Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts. - Enables supply‑chain poisoning of shared model files.
### Credits - [ac0d3r](https://github.com/ac0d3r) - [Tong Liu](https://lyutoon.github.io), Institute of information engineering, CAS
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x [WEB]
- https://github.com/mmaitre314/picklescan/pull/53 [WEB]
- https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab [WEB]
- https://github.com/mmaitre314/picklescan [PACKAGE]
- https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33 [WEB]