GHSA-cj3c-v495-4xqh: 
Python vulnerability analysis and mitigation

A security vulnerability was identified in Picklescan (versions < 0.0.29) where the library fails to detect potentially malicious code execution through the built-in Python code.InteractiveInterpreter.runcode function. The vulnerability was discovered and disclosed on August 26, 2025, affecting organizations and individuals who rely on Picklescan to detect malicious pickle files inside PyTorch models (GitHub Advisory).

The vulnerability (GHSA-cj3c-v495-4xqh) involves a missing detection mechanism when calling the built-in Python code.InteractiveInterpreter.runcode function. The attack payload is crafted by calling this function within a reduce method, which can execute arbitrary code when the pickle file is loaded. The vulnerability has been assigned a Moderate severity rating (GitHub Advisory).

The vulnerability impacts any organization or individual using Picklescan to detect malicious pickle files within PyTorch models. Attackers can exploit this vulnerability to embed malicious code in pickle files that remain undetected by Picklescan but execute when loaded. This creates potential for supply chain attacks where infected pickle files can be distributed across machine learning models, APIs, or saved Python objects (GitHub Advisory).

The vulnerability has been patched in Picklescan version 0.0.29. Users are advised to upgrade to this version to prevent potential exploitation. The fix includes adding detection for the code.InteractiveInterpreter.runcode function among other potentially dangerous built-in Python functions (Picklescan Commit).