picklescan - Arbitrary Code Execution via Undetected idlelib.autocomplete.AutoComplete.fetch_completions

An attacker crafts a pickle payload that calls `idlelib.autocomplete.AutoComplete.fetch_completions` inside the `__reduce__` method [ref_id=1]. The attacker distributes the malicious pickle file (e.g., embedded in a PyTorch model or saved Python object). When a victim runs picklescan on the file, the library does not flag the payload as dangerous. The victim then calls `pickle.load()` on the file, which triggers the `fetch_completions` function and executes arbitrary commands supplied by the attacker [ref_id=1].

The vulnerability lies in picklescan before version 0.0.29, which fails to detect malicious pickle files that use `idlelib.autocomplete.AutoComplete.fetch_completions` in the `__reduce__` method. The missing detection occurs because picklescan's allowlist or blocklist does not cover this built-in Python library function, allowing it to bypass security checks.

The advisory does not include a patch diff, but the fix is to update picklescan to version 0.0.29 or later, which adds detection for `idlelib.autocomplete.AutoComplete.fetch_completions` in the reduce method [ref_id=1]. The remediation closes the gap by expanding the library's blocklist to cover this built-in Python function, so that any pickle file attempting to use it is flagged as malicious before `pickle.load()` is called.