GHSA-fj43-3qmq-673f: 
Python vulnerability analysis and mitigation

A vulnerability (GHSA-fj43-3qmq-673f) was discovered in Picklescan versions below 0.0.25, where the library failed to detect unsafe global functions in the Numpy library. This vulnerability allows attackers to bypass static analysis tools and execute arbitrary code during deserialization. The issue was published on April 6, 2025, affecting the Python package picklescan on pip, with version 0.0.25 released as the patched version (GitHub Advisory).

The vulnerability exploits Python's pickle module's deserialization process through the reduce method. The attack specifically leverages the runstring function in numpy.testing._private.utils, which can indirectly call dangerous functions like exec(). Since Numpy library wasn't included in the unsafe globals blacklist, Picklescan failed to detect this as a security threat. The vulnerability has been assigned a CVSS score of 5.3 (Moderate severity) with attack vector being Network, attack complexity Low, and requiring Passive user interaction (GitHub Advisory).

The vulnerability primarily affects organizations and individuals relying on Picklescan to detect malicious pickle files within PyTorch models, including projects like Invoke-AI. Attackers can embed malicious code in pickle files that remain undetected but execute when loaded. This enables potential supply chain attacks where infected pickle files can be distributed across ML models, APIs, or saved Python objects (GitHub Advisory).

The recommended fix is to upgrade to Picklescan version 0.0.25 or later. Additionally, the developers suggest adding the Numpy library to the unsafe globals blacklist to prevent similar vulnerabilities (GitHub Advisory).