PickleScan - Unsafe Globals Check Bypass via pty.spawn Function
Description
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.0.33
Patches
Vulnerability mechanics
Root cause
"The `pty.spawn` function was missing from PickleScan's list of unsafe globals, allowing pickle payloads that reference it to bypass the dangerous-globals check."
Attack vector
An attacker crafts a pickle payload that references `pty.spawn` (a function that spawns a shell) and embeds it in a PyTorch model or ZIP archive. When PickleScan (before 0.0.33) scans the file, it flags `pty.spawn` as only "suspicious" rather than "dangerous", so the payload passes the security check. If the file is later loaded (e.g., via `pickle.load`), `pty.spawn` executes arbitrary commands on the victim's system. [ref_id=1]
Affected code
The vulnerability is in `src/picklescan/scanner.py` where the `_unsafe_globals` dictionary did not include `pty.spawn`. The patch adds `"pty": "spawn"` to that list.
What the fix does
The patch adds `"pty": "spawn"` to the `_unsafe_globals` dictionary in `scanner.py`. This ensures that `pty.spawn` is classified as a dangerous global, causing PickleScan to block pickle payloads that attempt to use it. Without this entry, the function was only flagged as "suspicious" and did not prevent the payload from being considered safe. [ref_id=1]
Preconditions
- inputThe victim must process a malicious pickle file (e.g., a PyTorch model) with PickleScan before version 0.0.33.
- configThe malicious file must later be loaded by a pickle deserializer (e.g., `pickle.load` or `torch.load`) for code execution to occur.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hgrh-qx5j-jfwxghsaADVISORY
- github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwxghsavendor-advisory
- www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-functionghsathird-party-advisory
- github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dabghsa
- github.com/mmaitre314/picklescan/pull/53ghsa
- github.com/mmaitre314/picklescan/releases/tag/v0.0.33ghsa
- nvd.nist.gov/vuln/detail/CVE-2025-71322ghsa
News mentions
0No linked articles in our index yet.