picklescan - Remote Code Execution via Unblocked Standard Library Modules

An attacker crafts a malicious pickle file that imports one of the unblocked standard library modules (e.g., `uuid`, `imaplib`, `_osx_support`) and calls a function such as `_get_command_stdout` or `IMAP4_stream`, which internally executes arbitrary commands via `subprocess.Popen` or `os.system`. picklescan reports the file as clean (0 issues), giving the victim no warning. When the victim loads the pickle (e.g., from HuggingFace Hub), the attacker's command runs with the victim's privileges [ref_id=1]. The preconditions are that the target uses picklescan for safety validation and that the attacker can supply a pickle file (e.g., upload to a model registry). [CWE-502]

The advisory details that picklescan v1.0.3's `_unsafe_globals` dict in `scanner.py` (lines 120–219) contains only ~60 entries and fails to block at least seven Python standard library modules: `uuid`, `_osx_support`, `_aix_support`, `_pyrepl.pager`, `imaplib`, `test`, and `test.support.script_helper`. None of these modules appear in the blocklist, allowing eight RCE-capable functions to pass undetected [ref_id=1].

The fix must add the missing modules (e.g., `uuid`, `_osx_support`, `_aix_support`, `_pyrepl`, `imaplib`, `test`) to the `_unsafe_globals` blocklist. The advisory further recommends an architectural shift to an allowlist (default-deny) approach so that any unknown global is treated as dangerous rather than relying on a blocklist that can be perpetually bypassed [ref_id=1]. As no patch code is shown, the exact changes are not visible, but the guidance is clear on which entries need to be added.

The advisory includes a full PoC that constructs a pickle payload using `uuid._get_command_stdout` to run `id`. The payload is 55 bytes, and when scanned with `scan_pickle_bytes`, the result shows 0 issues; when executed with `pickle.loads`, it runs the `id` command [ref_id=1].