GHSA-j343-8v2j-ff7w: 
Python vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-j343-8v2j-ff7w) was discovered in the picklescan library affecting versions below 0.0.30. The vulnerability involves the missing detection of potentially malicious code when calling the built-in Python function idlelib.pyshell.ModifiedInterpreter.runcommand. This security flaw was discovered and disclosed on August 26, 2025, affecting organizations and individuals relying on picklescan to detect malicious pickle files inside PyTorch models (GitHub Advisory).

The vulnerability stems from picklescan's inability to detect malicious code execution through the idlelib.pyshell.ModifiedInterpreter.runcommand function. The attack involves crafting a payload that utilizes the reduce method to call this built-in Python library function. The vulnerability allows attackers to bypass picklescan's security checks, as the library fails to identify this particular function as dangerous. The issue was patched in version 0.0.30 of picklescan (GitHub Commit).

The vulnerability's impact is significant for organizations using picklescan for security validation. Attackers can embed malicious code in pickle files that remain undetected by the security scanner but execute when the pickle file is loaded. This creates potential for supply chain attacks, allowing attackers to distribute infected pickle files across machine learning models, APIs, and saved Python objects (GitHub Advisory).

The vulnerability has been patched in picklescan version 0.0.30. Users are strongly advised to upgrade to this version or later to ensure proper detection of malicious pickle files. The fix includes adding the ModifiedInterpreter.runcommand function to the list of dangerous functions that picklescan detects (GitHub Commit).