picklescan - Remote Code Execution via Incomplete Disallowed Inputs
Description
picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.0.33
Patches
Vulnerability mechanics
Root cause
"Incomplete deny-list in picklescan fails to block `pydoc.locate` and `operator.methodcaller`, allowing attackers to bypass security checks and achieve arbitrary code execution via crafted pickle files."
Attack vector
A remote attacker crafts a malicious pickle file that uses `pydoc.locate` to dynamically resolve an arbitrary module (e.g., `os`) and `operator.methodcaller` to invoke a method on that module (e.g., `system`). When a victim deserializes the pickle with `pickle.load()`, the attacker's payload executes arbitrary commands on the victim's machine. The attack requires no authentication and can be delivered over any channel that causes the victim to load the pickle (e.g., email attachment, file upload, or network share). [ref_id=1]
Affected code
The picklescan deny-list in versions before 0.0.33 only blocks specific functions from the `pydoc` and `operator` modules but omits `pydoc.locate` and `operator.methodcaller`. Because these two functions are not listed, picklescan treats pickle entries that use them as "Safe" or "Suspicious" rather than "Dangerous", allowing malicious pickles to bypass the scanner.
What the fix does
The advisory recommends upgrading the deny-list from a per-function block to a wildcard (`*`) for the `pydoc` and `operator` modules, so that any function from these modules is flagged as "Dangerous". This closes the gap because attackers can no longer introduce a new unlisted function from the same modules to bypass the scanner. The patch does not show the exact diff, but the remediation guidance is clear: block the entire module rather than maintaining a function allow-list. [ref_id=1]
Preconditions
- configThe victim must deserialize a pickle file using a Python application that relies on picklescan (before 0.0.33) for security scanning.
- networkThe attacker must be able to deliver a crafted pickle file to the victim (e.g., via email, upload, or network share).
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-84r2-jw7c-4r5qghsaADVISORY
- github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5qghsavendor-advisory
- www.vulncheck.com/advisories/picklescan-remote-code-execution-via-incomplete-disallowed-inputsghsathird-party-advisory
- github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dabghsa
- github.com/mmaitre314/picklescan/pull/53ghsa
- github.com/mmaitre314/picklescan/releases/tag/v0.0.33ghsa
- nvd.nist.gov/vuln/detail/CVE-2025-71320ghsa
News mentions
0No linked articles in our index yet.