GHSA-mjqp-26hc-grxg: 
Python Analisi e mitigazione delle vulnerabilità

A high-severity vulnerability (GHSA-mjqp-26hc-grxg) was discovered in Picklescan versions <= 0.0.30, affecting its ability to scan ZIP archives for malicious pickle files. The vulnerability was disclosed on September 8, 2025, and patched in version 0.0.31. The issue occurs when the archive contains a file with a bad Cyclic Redundancy Check (CRC), causing Picklescan to fail without scanning the files, while PyTorch might still be able to load potentially malicious content (GitHub Advisory).

The vulnerability stems from Picklescan's use of Python's built-in zipfile module for handling ZIP archives. When encountering a file with a mismatch between declared and calculated CRC, the module raises exceptions like BadZipFile, causing Picklescan to fail without attempting to scan the files. This contrasts with PyTorch's behavior, which often bypasses CRC checks. The vulnerability has a CVSS v3.1 score of 7.5 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and is classified under CWE-693 (Protection Mechanism Failure) (GitHub Advisory).

The vulnerability affects any organization or individual using Picklescan to analyze PyTorch models or files distributed as ZIP archives for malicious pickle content. Attackers can exploit this by crafting malicious PyTorch models with embedded pickle payloads, packaging them into ZIP archives with intentional CRC errors. This creates a significant security blind spot where malicious code can be distributed and potentially executed without detection by Picklescan, while still being loadable by PyTorch (GitHub Advisory).

The vulnerability has been patched in Picklescan version 0.0.31. The fix involves modifying the RelaxedZipFile implementation to disable CRC validation, aligning with PyTorch's behavior. The patch specifically adds code to disable CRC checks by setting extfile.expected_crc = None in the ZIP file handling process (GitHub Commit).