picklescan is a widely used open-source tool for scanning machine learning models and other file archives for malicious Python pickle data. Pickle files are a common serialization format in Python, but they are notoriously insecure, as deserializing a specially crafted pickle object can lead to arbitrary code execution. This library is often integrated into security pipelines, artifact repositories, and file upload systems to prevent attacks against applications that process AI/ML models or other Python data structures.
The impact of this vulnerability is critical. It allows for the complete bypass of the scanner’s security function. An unauthenticated attacker can create a malicious ZIP archive that picklescan will fail to analyze correctly, erroneously declaring it safe. When a downstream application trusts this result and processes the malicious pickle file contained within, unauthenticated remote code execution can occur.
There is a public exploit available for this vulnerability, and it is being widely discussed in security circles. Although it is not yet listed in the CISA KEV catalog, the availability of the exploit significantly increases the probability of active exploitation. Any internet-exposed application that uses this library to scan untrusted ZIP archives is at immediate risk of compromise.
| Product | picklescan |
| Date | 2025-12-05 00:16:11 |
Technical Summary
The root cause of the vulnerability is classified as CWE-755: Improper Handling of Exceptional Conditions. The ZIP scanning component of the picklescan tool does not correctly handle exceptions that occur during the processing of malformed files within a ZIP archive.
The attack chain proceeds as follows:
- The attacker creates a ZIP archive containing at least two files. The first file is intentionally corrupted with an incorrect Cyclic Redundancy Check (CRC). The second file is a legitimate but malicious pickle object.
- When picklescan opens the archive and attempts to read the first file, the corrupted CRC triggers a
zlib.errorexception. - The scanning function does not handle this specific exception within the file iteration loop. The unhandled exception propagates and causes the entire scanning process to terminate prematurely.
- Because the process crashes, the scanner never analyzes the second file containing the malicious pickle payload. No error is reported to the calling application indicating a partial or failed scan.
- The downstream application, assuming the scan completed successfully and detected no threats, proceeds to extract and deserialize the malicious pickle file, triggering the remote code execution payload.
Conceptual Code Difference:
# Vulnerable Logic
def scan_zip_archive(archive):
# An exception here terminates the entire function
for member in archive.infolist():
file_content = archive.read(member.filename)
scan_for_malicious_pickles(file_content)
# Patched Logic
def scan_zip_archive(archive):
for member in archive.infolist():
try:
# Exception is handled per-file, allowing the loop to continue
file_content = archive.read(member.filename)
scan_for_malicious_pickles(file_content)
except zlib.error:
log("Could not read member due to CRC error:", member.filename)
continue
An attacker can exploit this bypass to execute arbitrary code with the permissions of the application processing the file, leading to a full system compromise. The specifically affected versions have not been disclosed; users are advised to assume that all versions prior to the latest patch are vulnerable.
Recommendations
- Apply the patch immediately: Update the picklescan library to the latest available version. Developers should ensure that dependency management systems are configured to retrieve the patched release.
- Mitigations: If applying the patch immediately is not possible, encapsulate calls to the picklescan library in a robust exception handling block. Monitor for any exceptions originating from the library during ZIP processing and treat such events as scan failures, rejecting the archive. Consider temporarily disabling the processing of all ZIP files from untrusted sources.
- Hunting and Monitoring:
- Analyze system and application logs for unhandled exceptions regarding
zlib.erroror ZIP file processing, especially in Python applications. - Monitor Python processes that spawn unexpected child processes, such as
/bin/sh,bash,powershell.exe, or network utilities likecurlandwget. - Look for newly created files in unusual paths, especially those written by the account used to run the application that uses picklescan.
- Analyze system and application logs for unhandled exceptions regarding
- Incident Response: In case of suspected compromise, immediately isolate the affected host from the network to prevent lateral movement. Preserve logs, memory dumps, and disk images for forensic analysis. Investigate application activity to identify the time of compromise and any data that may have been exfiltrated.
- Defense in Depth: Run applications that process untrusted external files in sandboxed or containerized environments with minimal privileges. Implement network segmentation to limit the application’s ability to communicate with internal systems, reducing the impact of a potential breach.
[Callforaction-THREAT-Footer]
