Description
Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran.getlincoef gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded, bypassing Picklescan's safety checks and enabling supply-chain poisoning of shared model files.
Problem types
Deserialization of Untrusted Data
Product status
Any version before 0.0.33
0.0.33 (semver)
Credits
ac0d3r
Lyutoon
References
github.com/...lescan/security/advisories/GHSA-rrxm-2pvv-m66x
github.com/...lescan/security/advisories/GHSA-rrxm-2pvv-m66x (GitHub Security Advisory (GHSA-rrxm-2pvv-m66x))
www.vulncheck.com/...mpy-f2py-crackfortran-getlincoef-gadget (VulnCheck Advisory: Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran.getlincoef Gadget)