GHSA-3gf5-cxq9-w223: 
Python vulnerability analysis and mitigation

A security vulnerability was identified in Picklescan versions prior to 0.0.30, tracked as GHSA-3gf5-cxq9-w223. The vulnerability allows attackers to bypass Picklescan's security checks by utilizing the built-in Python library function idlelib.pyshell.ModifiedInterpreter.runcode to execute malicious code through pickle files. This vulnerability was discovered and disclosed on August 26, 2025, affecting organizations and individuals using Picklescan for detecting malicious pickle files in PyTorch models (GitHub Advisory).

The vulnerability exploits Picklescan's failure to detect calls to the idlelib.pyshell.ModifiedInterpreter.runcode function. Attackers can craft a payload using the reduce method to call this built-in Python library function. The attack involves creating a specially crafted pickle file that passes Picklescan's security checks but contains malicious code that executes when the pickle file is loaded. The vulnerability has been assigned a Moderate severity rating (GitHub Advisory).

The vulnerability impacts any organization or individual relying on Picklescan to detect malicious pickle files inside PyTorch models. Attackers can exploit this vulnerability to embed malicious code in pickle files that remain undetected by Picklescan but execute when loaded. This creates potential for supply chain attacks, allowing attackers to distribute infected pickle files across machine learning models, APIs, and saved Python objects (GitHub Advisory).

The vulnerability has been patched in Picklescan version 0.0.30. Users are advised to upgrade to this version or later to address the security issue. The fix includes adding detection for the idlelib.pyshell.ModifiedInterpreter.runcode function to Picklescan's security checks (Picklescan Commit).