picklescan - Arbitrary File Read via Unsafe Pickle Deserialization
Description
picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.0.35
Patches
Vulnerability mechanics
Root cause
"Unsafe pickle deserialization allows chaining io.FileIO and urllib.request.urlopen to bypass RCE-focused blocklists and exfiltrate arbitrary files."
Attack vector
An unauthenticated attacker crafts a malicious pickle file that, when deserialized by picklescan, uses `io.FileIO` to open a local file (e.g., `/etc/hosts`) and passes that file object as the body of a POST request via `urllib.request.urlopen` to an attacker-controlled URL [ref_id=1]. The file content is streamed directly to the external server during unpickling, achieving arbitrary file read and SSRF without triggering RCE keyword filters [ref_id=1].
Affected code
The advisory identifies that picklescan before version 0.0.35 deserializes untrusted pickle data without adequate filtering. The vulnerability chains `io.FileIO` and `urllib.request.urlopen` to bypass RCE-focused blocklists [ref_id=1].
What the fix does
The advisory does not include a published patch diff, but the fix is to upgrade to picklescan 0.0.35 or later [ref_id=1]. The remediation likely involves extending the blocklist or deserialization sandbox to cover `io.FileIO` and `urllib.request.urlopen` in addition to RCE-related keywords, preventing arbitrary file reads and SSRF during unpickling.
Preconditions
- configThe application must deserialize untrusted pickle data without blocking io.FileIO or urllib.request.urlopen.
- authNo authentication is required; the attacker only needs to supply a malicious pickle file.
- networkThe attacker must be able to deliver the crafted pickle to the picklescan deserialization routine (e.g., via file upload or network input).
- inputThe attacker controls an external HTTP server to receive the exfiltrated file content.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9726-w42j-3qjrghsaADVISORY
- github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjrghsavendor-advisory
- www.vulncheck.com/advisories/picklescan-arbitrary-file-read-via-unsafe-pickle-deserializationghsathird-party-advisory
- github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1ghsa
- github.com/mmaitre314/picklescan/pull/55ghsa
- github.com/mmaitre314/picklescan/releases/tag/v0.0.35ghsa
- nvd.nist.gov/vuln/detail/CVE-2026-53872ghsa
News mentions
0No linked articles in our index yet.