GHSA-6vqj-c2q5-j97w: 
Python vulnerability analysis and mitigation

A security vulnerability was identified in picklescan (pip package) affecting versions prior to 0.0.29, tracked as GHSA-6vqj-c2q5-j97w. The vulnerability involves a missing detection capability when calling the built-in Python profile.Profile.runctx function, which could allow attackers to bypass security checks and execute malicious code through pickle files. The issue was discovered and disclosed on August 26, 2025, affecting organizations and individuals relying on picklescan for detecting malicious pickle files in PyTorch models (GitHub Advisory).

The vulnerability stems from picklescan's inability to detect potentially dangerous calls to profile.Profile.runctx, a built-in Python library function. Attackers can craft a payload by implementing a reduce method that returns the Profile.runctx function along with malicious code as arguments. When the pickle file is loaded after passing picklescan's security checks, it can lead to remote code execution. The vulnerability has been assigned a Moderate severity rating (GitHub Advisory).

The vulnerability impacts any organization or individual using picklescan to detect malicious pickle files within PyTorch models. Attackers can exploit this weakness to embed malicious code in pickle files that remain undetected by the security scanner but execute when loaded. This creates potential for supply chain attacks where infected pickle files could be distributed across machine learning models, APIs, or saved Python objects (GitHub Advisory).

The vulnerability has been patched in picklescan version 0.0.29. Users are advised to upgrade to this version or later to address the security issue. The fix includes adding profile.Profile.runctx to the list of dangerous functions that picklescan detects (GitHub Commit).