UNKNOWN PyPI
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length
GHSA-6556-fwc2-fg2p
Published · Modified
Description
Summary
Picklescan uses the numpy.f2py.crackfortran._eval_length function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.
Details
Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran._eval_length in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.
PoC
class PoC:
def __reduce__(self):
from numpy.f2py.crackfortran import _eval_length
return _eval_length, ("__import__('os').system('whoami')", None)
Impact
- Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
- Enables supply‑chain poisoning of shared model files.
Credits
References
- WEB https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p
- WEB https://github.com/mmaitre314/picklescan/pull/53
- WEB https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab
- PACKAGE https://github.com/mmaitre314/picklescan
- WEB https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33
Ready to move
Start Securing
Free, no credit card | First findings in minutes