CVE-2025-10157: picklescan bypass leading to arbitrary code execution

ISGroup Cybersecurity

picklescan is a popular open-source Python library designed to detect and prevent vulnerabilities related to insecure deserialization in Python’s pickle format. It is widely used in Machine Learning (ML) and Artificial Intelligence (AI) pipelines to scan pre-trained models for malicious code before they are loaded, serving as a critical security check in the MLOps lifecycle. Any application that handles serialized data from untrusted sources can rely on this tool for protection.

The impact of this vulnerability is critical. It represents a complete bypass of the scanner’s security mechanism, rendering it ineffective. An attacker can create a malicious file that the tool erroneously certifies as “safe” and which, once loaded by a downstream application, leads to unauthenticated remote code execution.

Public exploit code is available for this vulnerability and, given its nature as a security control bypass, active exploitation is highly likely. Any organization using vulnerable versions of picklescan to sanitize untrusted files, particularly those incorporating third-party ML models, is at immediate risk of system compromise.

Productpicklescan
Date2025-12-05 12:14:05

Technical Summary

The vulnerability is due to inadequate checking of dangerous modules and functions within the unsafe_globals validation logic. The root cause is a CWE-183: Permissive Regular Expression (or a similar logic flaw), where the scanner performs an exact string comparison against a blocklist containing known dangerous modules (e.g., “asyncio”, “subprocess”), but does not recursively verify the submodules of those packages.

The attack chain is as follows:

  1. An attacker creates a malicious pickle file containing a payload that invokes a dangerous function from a submodule of a blocked package (e.g., asyncio.unix_events instead of the parent package asyncio).
  2. The vulnerable version of picklescan analyzes the file. Its scanner compares the module “asyncio.unix_events” against its internal blocklist.
  3. Since the blocklist only contains the exact entry “asyncio”, the check does not find a match, and picklescan erroneously reports the malicious file as safe.
  4. A downstream application, trusting the scanner’s output, loads the pickle file via pickle.load().
  5. The Python deserializer executes the embedded payload, granting the attacker arbitrary code execution with the permissions of the application process.

Affected versions:

  • picklescan versions 0.0.30 and earlier are vulnerable.

A conceptual example of the flawed logic:

# Vulnerable Logic (Conceptual)
def is_dangerous(module_name):
    blocklist = {"os", "subprocess", "asyncio"}
    return module_name in blocklist # Fails for "os.path"

# Fixed Logic (Conceptual)
def is_dangerous_fixed(module_name):
    blocklist = {"os", "subprocess", "asyncio"}
    # Checks if the module or any of its parent packages are in the blocklist
    parts = module_name.split('.')
    for i in range(len(parts)):
        sub_module = ".".join(parts[:i+1])
        if sub_module in blocklist:
            return True
    return False

This bypass completely undermines the security guarantee offered by the library, allowing an experienced attacker to fully compromise the system.

Recommendations

  • Apply the patch immediately: update the picklescan library to a version later than 0.0.30. All previous versions are considered vulnerable.
  • Mitigations: if it is not possible to apply the patch immediately, treat all files scanned by vulnerable versions of picklescan as untrusted. The most effective mitigation is to disable the automatic loading of pickle files or ML models from unverified or untrusted sources.
  • Hunting and monitoring:
    • Re-scan all existing pickle files and ML models in the environment with a corrected version of the scanner.
    • Monitor application logs for anomalous behavior, errors during deserialization, or the unexpected creation of child processes (e.g., shells, reverse shells) by Python applications handling pickle files.
    • Analyze network traffic for unexpected outbound connections from servers serving ML models or processing data.

  • Incident Response: in case of suspected compromise, immediately isolate the affected host from the network to prevent lateral movement. Preserve the malicious file and system logs for forensic analysis. Initiate a credential rotation protocol for all services running on or accessible from the compromised machine.
  • Defense in depth: never deserialize data from untrusted sources. Run applications that process external data, such as APIs for loading ML models, in sandboxed or containerized environments with minimal privileges and strict egress traffic filtering.

[Callforaction-THREAT-Footer]