GHSA-vv6j-3g6g-2pvj: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-vv6j-3g6g-2pvj) affects the picklescan library versions <= 0.0.27, which fails to detect potentially malicious code when the PyTorch function torch.utils.configmodule.load_config is used. This security flaw was discovered and reported by FredericDT, and was patched in version 0.0.28 released on August 22, 2025 (GitHub Release).

The vulnerability allows attackers to bypass picklescan's security checks by utilizing the torch.utils.configmodule.loadconfig function. The attack works in two steps: first, the attacker crafts a payload by calling the torch.utils.configmodule.loadconfig function in the reduce method; second, when the victim uses picklescan to check the pickle file's safety, the library fails to detect the dangerous function, leading to potential remote code execution when the pickle file is loaded (GitHub Advisory).

The vulnerability affects any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. Attackers can exploit this flaw to embed malicious code in pickle files that remain undetected but execute when loaded. This creates potential for supply chain attacks where infected pickle files could be distributed across ML models, APIs, or saved Python objects (GitHub Advisory).

Users should upgrade to picklescan version 0.0.28 or later, which includes patches for this vulnerability. The fix was implemented as part of a larger security update addressing multiple PyTorch-related detection issues (GitHub Release).