picklescan - Remote Code Execution via Undetected profile.Profile.runctx
Description
picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution when the pickle file is loaded.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.0.29
Patches
Vulnerability mechanics
Root cause
"Picklescan before 0.0.29 omits profile.Profile.runctx from its list of dangerous reduce callables, allowing attacker-controlled code execution via pickle.load()."
Attack vector
An attacker crafts a malicious pickle file whose `__reduce__` method returns `profile.Profile.runctx` along with attacker-controlled arguments (a Profile instance, a payload string, and empty dictionaries) [ref_id=1]. Picklescan 0.0.28 and earlier do not flag `Profile.runctx` as dangerous, so the file passes the scan. When the victim subsequently calls `pickle.load()` on the file, Python executes `Profile.runctx` with the embedded payload (`__import__('os').system('whoami')`), achieving remote code execution.
Affected code
The advisory identifies that Picklescan before version 0.0.29 fails to detect `profile.Profile.runctx` when analyzing pickle files [ref_id=1]. The vulnerable code path is the `__reduce__` method of the attacker's class, which returns `Profile.runctx` as the callable to execute during unpickling.
What the fix does
The advisory does not include a patch diff, but the fix (released in Picklescan 0.0.29) adds `profile.Profile.runctx` to the list of dangerous functions that Picklescan detects during pickle file analysis [ref_id=1]. This ensures that any pickle file referencing `Profile.runctx` in a `__reduce__` call is flagged as unsafe before the user loads it with `pickle.load()`.
Preconditions
- configThe victim uses Picklescan version 0.0.28 or earlier to scan pickle files and relies on it to detect malicious content.
- authThe victim loads the attacker-supplied pickle file using pickle.load() after the scan reports no danger.
- inputThe attacker can deliver a malicious pickle file to the victim (e.g., via a PyTorch model, API upload, or saved Python object).
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/mmaitre314/picklescan/security/advisories/GHSA-6vqj-c2q5-j97wmitrevendor-advisory
- www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-profile-profile-runctxmitrethird-party-advisory
News mentions
0No linked articles in our index yet.