picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass
Description
picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.0.4
Patches
Vulnerability mechanics
Root cause
"The blocklist entry for the profile module uses exact string matching against class‑method names (Profile.run, Profile.runctx) but omits the module‑level function names (run, runctx), allowing a trivial bypass."
Attack vector
An attacker crafts a malicious pickle file whose GLOBAL opcode references the module‑level function `profile.run`. The picklescan blocklist only contains `Profile.run` and `Profile.runctx`, so the exact‑string comparison at line 414 does not flag `"run"` [ref_id=1]. When the pickle is deserialized, `profile.run(statement)` calls `exec(statement)` internally, achieving arbitrary code execution while picklescan reports zero issues [ref_id=1].
Affected code
The blocklist entry in `scanner.py` line 199 maps the `profile` module to `{"Profile.run", "Profile.runctx"}`. The opcode parser extracts the global name `"run"` from a pickle, and the exact‑string check at line 414 (`g.name in unsafe_filter`) fails because `"run" != "Profile.run"`. This allows `profile.run()` to bypass detection entirely [ref_id=1].
What the fix does
The advisory recommends changing the blocklist entry from `"profile": {"Profile.run", "Profile.runctx"}` to either a wildcard `"*"` or explicitly adding the module‑level functions `"run"` and `"runctx"` [ref_id=1]. This ensures that the exact‑string match at line 414 catches the module‑level `profile.run()` and `profile.runctx()` functions, which internally call `exec()` and provide the same code‑execution capability as the class methods.
Preconditions
- inputThe victim must deserialize a pickle file (e.g., via pickle.loads) that references profile.run.
- configpicklescan must be used as a security scanner before deserialization; the bypass causes it to report 0 issues.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7wx9-6375-f5whghsaADVISORY
- github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5whghsavendor-advisory
- www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-profile-run-blocklist-bypassghsathird-party-advisory
- nvd.nist.gov/vuln/detail/CVE-2026-53873ghsa
News mentions
0No linked articles in our index yet.