GHSA-f4x7-rfwp-v3xw: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-f4x7-rfwp-v3xw) affects the picklescan package versions <= 0.0.27, with a fix available in version 0.0.28. The issue involves a missing detection capability when calling the PyTorch function torch.fx.experimental.symbolicshapes.ShapeEnv.evaluateguards_expression, which could be exploited to execute malicious code through pickle files (GitHub Advisory).

The vulnerability stems from picklescan's inability to detect potentially dangerous calls to torch.fx.experimental.symbolicshapes.ShapeEnv.evaluateguardsexpression. The attack payload is crafted by implementing a _reduce_ method that returns the symbolicshapes.ShapeEnv.evaluateguardsexpression function along with malicious code as arguments. When the pickle file is loaded after passing picklescan's security check, it can lead to arbitrary code execution (GitHub Advisory).

The vulnerability affects any organization or individual using picklescan to detect malicious pickle files within PyTorch models. Attackers can embed malicious code in pickle files that bypass detection and execute when loaded. This creates potential for supply chain attacks where infected pickle files could be distributed across machine learning models, APIs, and saved Python objects (GitHub Advisory).

The vulnerability has been patched in picklescan version 0.0.28. Users should upgrade to this version or later to ensure protection against this attack vector. The fix includes adding torch.fx.experimental.symbolicshapes.ShapeEnv.evaluateguards_expression to the list of dangerous functions that picklescan detects (GitHub Release).