GHSA-jgw4-cr84-mqxg: 
Python Analisi e mitigazione delle vulnerabilità

PickleScan, a security scanner for detecting suspicious Python Pickle files, contains a vulnerability (GHSA-jgw4-cr84-mqxg) that allows bypass of malicious file detection when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). The vulnerability affects versions <= 0.0.30 and has been patched in version 0.0.31. This security flaw was discovered and disclosed in September 2025, impacting organizations and individuals relying on PickleScan for securing PyTorch models and pickle files (GitHub Advisory).

The vulnerability exists in the scan_bytes function within picklescan/scanner.py, specifically around line 463. When encountering a file with a PyTorch-related extension, the scanner prioritizes PyTorch file extension checks and terminates with an error when parsing a standard pickle file with such an extension, instead of falling back to standard pickle analysis. The vulnerability has been assigned a CVSS score of 7.8 (High) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability significantly weakens PickleScan's security capabilities by allowing attackers to bypass detection mechanisms. Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt), which would then bypass PickleScan's detection mechanism. This opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or direct file sharing (GitHub Advisory).

The vulnerability has been patched in version 0.0.31. The fix modifies the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails. The patch implements a two-step approach: first attempting PyTorch scan if the file extension matches known PyTorch extensions, then falling back to standard pickle scanning regardless of the PyTorch scan's outcome. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities (GitHub Commit).