picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran.myeval Detection Bypass

An attacker crafts a pickle file whose `__reduce__` method returns `numpy.f2py.crackfortran.myeval` as the callable and an arbitrary command string (e.g. `os.system('ls')`) as the argument [ref_id=1]. The victim first runs picklescan (pre-0.0.33) on the file, which reports no dangerous functions because `myeval` is not in its detection list, and then loads the file with `pickle.load()`, causing the embedded command to execute. This is a classic deserialization attack that bypasses a security scanner (CWE-502, CWE-693).

The advisory identifies `picklescan` before version 0.0.33 as the affected component; it fails to detect malicious pickle files that abuse `numpy.f2py.crackfortran.myeval` via the `__reduce__` method [ref_id=1]. The vulnerable path is in pickle-scanning logic that does not flag `myeval` as a dangerous function, allowing an attacker to embed arbitrary code execution inside a PyTorch model or other pickle-serialized object.

The advisory does not publish a patch diff, but states that picklescan version 0.0.33 adds `numpy.f2py.crackfortran.myeval` to its list of dangerous functions that trigger detection [ref_id=1]. By including the missing function in the scanner's allowlist/blocklist, the tool now flags any pickle file that uses `myeval` in a `__reduce__` gadget chain, preventing the bypass. No further details about the exact code change are available in the provided bundle.