Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseGHSA-jgw4-cr84-mqxg
GHSA-jgw4-cr84-mqxg:
Python vulnerability analysis and mitigation
Overview
PickleScan, a security scanner for detecting suspicious Python Pickle files, contains a vulnerability (GHSA-jgw4-cr84-mqxg) that allows bypass of malicious file detection when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). The vulnerability affects versions <= 0.0.30 and has been patched in version 0.0.31. This security flaw was discovered and disclosed in September 2025, impacting organizations and individuals relying on PickleScan for securing PyTorch models and pickle files (GitHub Advisory).
Technical details
The vulnerability exists in the scan_bytes function within picklescan/scanner.py, specifically around line 463. When encountering a file with a PyTorch-related extension, the scanner prioritizes PyTorch file extension checks and terminates with an error when parsing a standard pickle file with such an extension, instead of falling back to standard pickle analysis. The vulnerability has been assigned a CVSS score of 7.8 (High) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability (GitHub Advisory).
Impact
The vulnerability significantly weakens PickleScan's security capabilities by allowing attackers to bypass detection mechanisms. Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt), which would then bypass PickleScan's detection mechanism. This opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or direct file sharing (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in version 0.0.31. The fix modifies the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails. The patch implements a two-step approach: first attempting PyTorch scan if the file extension matches known PyTorch extensions, then falling back to standard pickle scanning regardless of the PyTorch scan's outcome. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities (GitHub Commit).
Additional resources
Source: This report was generated using AI
Related Python vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management