GHSA-4whj-rm5r-c2v8: 
Python vulnerability analysis and mitigation

A moderate severity vulnerability was identified in picklescan versions prior to 0.0.30, tracked as GHSA-4whj-rm5r-c2v8. The vulnerability stems from picklescan's failure to detect potentially malicious calls to the PyTorch function torch.utils.bottleneck.main.runautogradprof. This security flaw was discovered and disclosed on August 26, 2025, affecting organizations and individuals who rely on picklescan for detecting malicious pickle files within PyTorch models (GitHub Advisory).

The vulnerability allows attackers to bypass picklescan's security checks by crafting a payload that utilizes the torch.utils.bottleneck.main.runautogradprof function. The exploit involves creating a malicious class with a reduce method that returns the runautogradprof function along with arbitrary code execution parameters. When the pickle file is loaded after passing picklescan's checks, it can execute arbitrary commands on the victim's system (GitHub Advisory).

The vulnerability's impact is significant for organizations using picklescan as a security tool. Attackers can create malicious pickle files that evade detection while maintaining the ability to execute arbitrary code when loaded. This creates potential for supply chain attacks where infected pickle files could be distributed across machine learning models, APIs, and saved Python objects (GitHub Advisory).

The vulnerability has been patched in picklescan version 0.0.30. Users are strongly advised to upgrade to this version or later. The fix includes adding the runautogradprof function to the list of detected dangerous functions in the scanner (GitHub Commit).