picklescan - Remote Code Execution via timeit.timeit() Detection Bypass
Description
picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <0.0.25
Patches
Vulnerability mechanics
Root cause
"The unsafe-globals blacklist in picklescan did not include the built-in `timeit` library, so `timeit.timeit()` in `__reduce__` was not flagged as dangerous."
Attack vector
An attacker crafts a malicious pickle file whose `__reduce__` method returns `timeit.timeit` along with a string argument that imports `os` and executes arbitrary system commands (e.g., `curl`). The attacker distributes this pickle file to a victim who scans it with picklescan; because `timeit` is not in the unsafe-globals blacklist, the scan reports zero dangerous globals. The victim then calls `pickle.load()`, which triggers `timeit.timeit()` and runs the attacker's OS command [ref_id=1].
Affected code
The advisory identifies picklescan before version 0.0.25 as affected. The defect is in the unsafe-globals blacklist, which did not include the built-in `timeit` library, allowing `timeit.timeit()` to be used in `__reduce__` without detection [ref_id=1].
What the fix does
The advisory recommends adding `timeit` to the unsafe-globals blacklist so that `timeit.timeit()` is flagged as a dangerous global during scanning. No patch diff is provided in the bundle, but the fix would cause picklescan to detect any pickle file that references `timeit` in its `__reduce__` method, preventing the bypass [ref_id=1].
Preconditions
- configVictim uses picklescan version prior to 0.0.25 to scan a pickle file before loading it.
- networkAttacker can deliver a crafted pickle file to the victim (e.g., via a PyTorch model, API upload, or saved Python object).
- inputVictim subsequently calls pickle.load() on the attacker-supplied file.
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwcmitrevendor-advisory
- www.vulncheck.com/advisories/picklescan-remote-code-execution-via-timeit-timeit-detection-bypassmitrethird-party-advisory
News mentions
0No linked articles in our index yet.