GHSA-49gj-c84q-6qm9: 
Python vulnerability analysis and mitigation

A security vulnerability was identified in picklescan library versions prior to 0.0.30, tracked as GHSA-49gj-c84q-6qm9. The vulnerability allows attackers to bypass picklescan's security checks by using Python's built-in cProfile.run function to execute malicious code through pickle files. This vulnerability was discovered and disclosed on August 26, 2025 (GitHub Advisory).

The vulnerability stems from picklescan's failure to detect potentially dangerous calls to Python's built-in cProfile.run function. Attackers can craft a malicious payload by implementing a reduce method that returns cProfile.run along with arbitrary code to execute. When the victim uses picklescan to verify the pickle file's safety, the library fails to detect this dangerous function, allowing subsequent pickle.load() operations to execute the malicious code (GitHub Advisory).

The vulnerability primarily affects organizations and individuals using picklescan to detect malicious pickle files within PyTorch models. Attackers can exploit this vulnerability to embed and execute malicious code that remains undetected by picklescan's security checks. This can lead to supply chain attacks where infected pickle files can be distributed across machine learning models, APIs, and saved Python objects (GitHub Advisory).

The vulnerability has been patched in picklescan version 0.0.30. Users are strongly advised to upgrade to this version or later to receive the security fix. The patch includes additional detection capabilities for potentially dangerous Python built-in functions, including cProfile.run (GitHub Commit).