picklescan - Remote Code Execution via Unblocked ctypes Module
Description
picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox protections and gadget chain detection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.0.33
Patches
Vulnerability mechanics
Root cause
"picklescan's dangerous-module allowlist does not include ctypes, so pickle files that use ctypes.WinDll to load kernel32.dll and call WinExec are not flagged as malicious."
Attack vector
An attacker crafts a malicious pickle file that chains `ctypes.WinDll`, `operator.itemgetter`, and `operator.methodcaller` to load `kernel32.dll` and call `WinExec` with an arbitrary command (e.g. `calc.exe`). Because picklescan does not flag `ctypes` as dangerous, the pickle file passes the scanner's checks. When a victim loads the pickle with `pickle.load()`, the deserialization triggers the chain and executes the attacker's command [ref_id=1]. This bypasses the sandbox protections and gadget-chain detection that picklescan is meant to enforce.
Affected code
The picklescan library before version 0.0.33 does not include `ctypes` in its list of blocked/dangerous modules. Because `ctypes` provides a foreign function interface that can load DLLs, call C functions directly, and manipulate raw memory pointers, the scanner fails to flag pickle files that use `ctypes.WinDLL` to load `kernel32.dll` and invoke `WinExec` [ref_id=1].
What the fix does
The advisory states that picklescan before 0.0.33 fails to block the `ctypes` module. The fix (presumably in version 0.0.33) adds `ctypes` to the list of dangerous modules that the scanner checks. This prevents pickle files that reference `ctypes.WinDll` or similar ctypes constructs from passing the scan, closing the direct-syscall and raw-memory-access loophole that the original gadget-chain detection missed [ref_id=1].
Preconditions
- configThe victim must use picklescan version 0.0.32 or earlier to scan the pickle file (or not scan it at all).
- inputThe victim must call pickle.load() on the attacker-supplied pickle file.
- configThe attack targets Windows systems where kernel32.dll is available.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4675-36f9-wf6rghsaADVISORY
- github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6rghsavendor-advisory
- www.vulncheck.com/advisories/picklescan-remote-code-execution-via-unblocked-ctypes-moduleghsathird-party-advisory
- github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dabghsa
- github.com/mmaitre314/picklescan/pull/53ghsa
- github.com/mmaitre314/picklescan/releases/tag/v0.0.33ghsa
- nvd.nist.gov/vuln/detail/CVE-2025-71323ghsa
News mentions
0No linked articles in our index yet.