CVE-2025-10157: 
Python vulnerability analysis and mitigation

A Protection Mechanism Failure vulnerability (CVE-2025-10157) was discovered in mmaitre314 picklescan versions up to and including 0.0.30. The vulnerability allows attackers to bypass the unsafe globals check functionality, which is designed to prevent malicious code execution. This bypass is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). The vulnerability was disclosed on September 8, 2025 (GitHub Advisory).

The vulnerability stems from a flawed implementation in the scanner's module name checking mechanism. The issue occurs in the scanner.py file where the code performs strict matching against the unsafeglobals dictionary. The CVSS v4.0 score is 9.3 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-693 (Protection Mechanism Failure) (NVD).

When exploited, this vulnerability allows attackers to bypass PickleScan's security checks and potentially execute arbitrary code. The vulnerability is particularly concerning for organizations like HuggingFace and individuals using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content. Successful exploitation could lead to code execution on the user's system when processing or loading malicious files (GitHub Advisory).

The vulnerability has been patched in version 0.0.31. The fix involves modifying the module name checking logic to account for submodule imports. Instead of exact matching, the new implementation checks if the imported module starts with any known unsafe global and verifies that it's either an exact match or a proper submodule. Users are strongly advised to upgrade to version 0.0.31 or later (GitHub Advisory).