GHSA-86cj-95qr-2p4f: 
Python vulnerability analysis and mitigation

A security vulnerability was discovered in picklescan library versions <= 0.0.27, identified as GHSA-86cj-95qr-2p4f. The vulnerability allows attackers to bypass picklescan's security checks by using the torch._dynamo.guards.GuardBuilder.get function to execute malicious code through pickle files. The issue was discovered and reported by FredericDT, and was patched in version 0.0.28 released on August 22, 2025 (GitHub Advisory).

The vulnerability exists in the way picklescan processes PyTorch pickle files. Specifically, the scanner fails to detect malicious code when it's wrapped using the torch.dynamo.guards.GuardBuilder.get function. Attackers can craft a payload by implementing a _reduce__ method that returns the GuardBuilder.get function along with malicious code as parameters. When the pickle file is loaded after passing picklescan's security checks, it leads to remote code execution (GitHub Advisory).

The vulnerability affects any organization or individual using picklescan to detect malicious pickle files within PyTorch models. Attackers can exploit this vulnerability to embed malicious code in pickle files that remain undetected by picklescan's security checks. This creates potential for supply chain attacks where infected pickle files could be distributed across machine learning models, APIs, and saved Python objects (GitHub Advisory).

The vulnerability has been patched in picklescan version 0.0.28. Users are advised to upgrade to this version to prevent potential exploitation. The fix involves adding torch._dynamo.guards.GuardBuilder.get to the list of dangerous functions that picklescan detects (GitHub Release).