picklescan - Arbitrary Code Execution via Obfuscated eval Call
Description
picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.0.1
Patches
Vulnerability mechanics
Root cause
"Missing detection of `builtins.eval` when it is nested under another callable via `getattr`."
Attack vector
An unauthenticated attacker crafts a malicious pickle file where the `__reduce__` method returns a tuple whose first element is a callable that internally uses `getattr(builtins, "eval")` to execute arbitrary code. When picklescan scans the file, it does not detect the obfuscated `eval` call, so the pickle passes validation. Any system that loads the pickle from an untrusted source (e.g., ML model repositories, APIs, or saved Python objects) will then execute the attacker's payload.
Affected code
The vulnerability resides in picklescan's detection logic, which fails to flag `builtins.eval` calls when they are nested under another callable via `getattr`. The PoC in [ref_id=1] shows that wrapping `getattr(builtins, "eval")(payload)` inside a static method of a class evades the scanner's checks.
What the fix does
The advisory [ref_id=1] does not include a patch diff, but the fix (picklescan 1.0.1) must extend the scanner's AST or bytecode analysis to recursively inspect callables returned by `__reduce__` and detect `builtins.eval` even when accessed via `getattr`. Without this change, attackers can trivially bypass detection by hiding the dangerous function behind a layer of indirection.
Preconditions
- inputThe victim must load a pickle file from an untrusted source (e.g., a downloaded ML model or API payload).
- configpicklescan must be used to scan the pickle before loading; the scanner version must be older than 1.0.1.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9m3x-qqw2-h32hghsaADVISORY
- github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32hghsavendor-advisory
- www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-obfuscated-eval-callghsathird-party-advisory
- github.com/mmaitre314/picklescan/commit/173c8f2a869ea9b69b543477525ec70611c3c6f4ghsa
- github.com/mmaitre314/picklescan/pull/59ghsa
- github.com/mmaitre314/picklescan/releases/tag/v1.0.1ghsa
- nvd.nist.gov/vuln/detail/CVE-2026-53874ghsa
News mentions
0No linked articles in our index yet.