GHSA-86cj-95qr-2p4f: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-86cj-95qr-2p4f) affects the picklescan library versions <= 0.0.27, which fails to detect potentially malicious code when using the PyTorch function torch._dynamo.guards.GuardBuilder.get. The issue was discovered and reported by FredericDT, and was patched in version 0.0.28 released on August 22, 2025 (GitHub Release).

The vulnerability allows attackers to bypass picklescan's security checks by utilizing the torch._dynamo.guards.GuardBuilder.get function. The exploit works by crafting a payload that implements the reduce method, which returns the GuardBuilder.get function along with crafted parameters. The payload uses types.SimpleNamespace to create a fake scope and passes malicious code as a parameter (GitHub Advisory).

The vulnerability impacts any organization or individual using picklescan to detect malicious pickle files within PyTorch models. Attackers can embed malicious code in pickle files that remain undetected by picklescan's security checks but execute when the pickle file is loaded. This creates potential for supply chain attacks where infected pickle files could be distributed across machine learning models, APIs, and saved Python objects (GitHub Advisory).

Users should upgrade to picklescan version 0.0.28 or later, which includes patches for this vulnerability. The fix involves adding torch._dynamo.guards.GuardBuilder.get to the list of dangerous functions that picklescan detects (GitHub Release).