CVE-2019-6446
published 2019-01-16CVE-2019-6446: An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
17.08%
96.7th percentile
An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| chrome_chrome | — | — | |
| numpy | numpy | <= 1.16.0 | — |
| numpy | numpy | >= 0 < 1.16.1 | 1.16.1 |
| numpy | numpy | 0 – 1.16.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
rules:
- id: pickles-in-numpy
patterns:
- pattern: numpy.load(..., allow_pickle=$VALUE)
- metavariable-regex:
metavariable: $VALUE
regex: (True|^\d*[1-9]\d*$)
message: |
Functions reliant on pickle can result in arbitrary code execution.
Consider using fickling or switching to a safer serialization method.
For more information, see https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/
languages:
- python
severity: ERROR- →Flag any call to numpy.load() where allow_pickle is set to True or any positive integer — these are the conditions that re-enable unsafe pickle deserialization and trigger the CVE-2019-6446 code-execution path. ↗
- →In NumPy versions 1.16.0 and earlier, np.load() allowed pickles by default (allow_pickle=True implicitly), so any numpy.load() call on those versions without an explicit allow_pickle=False is suspicious. ↗
- →The attack vector is a crafted serialized (pickle) object passed to numpy.load(); treat untrusted .npy/.npz files as potentially malicious payloads. ↗
- ·The vulnerability only applies to NumPy versions before 1.16.3; versions 1.16.3+ set allow_pickle=False by default, so the risk is limited to older installs or code that explicitly re-enables pickling. ↗
- ·Third parties dispute the severity of this issue because loading pickled arrays from trusted, authenticated sources is a legitimate use case; context of the data source matters when triaging alerts. ↗
- ·Red Hat OpenStack Platform ships a vulnerable numpy version but assessed it is not used in a vulnerable manner; environment-specific deployment context should be evaluated before treating all detections as exploitable. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Numpy Deserialization of Untrusted Data
osv·2022-05-24
CVE-2019-6446 [CRITICAL] Numpy Deserialization of Untrusted Data
Numpy Deserialization of Untrusted Data
** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
GHSA
Numpy Deserialization of Untrusted Data
ghsa·2022-05-24
CVE-2019-6446 [CRITICAL] CWE-502 Numpy Deserialization of Untrusted Data
Numpy Deserialization of Untrusted Data
** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
OSV
CVE-2019-6446: ** DISPUTED ** An issue was discovered in NumPy 1
osv·2019-01-16
CVE-2019-6446 CVE-2019-6446: ** DISPUTED ** An issue was discovered in NumPy 1
** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
Chrome
Stable Channel Update for Desktop: CVE-2020-6445
vendor_chrome·2020-04-07·CVSS 6.5
CVE-2020-6445 [LOW] Stable Channel Update for Desktop: CVE-2020-6445
Stable Channel Update for Desktop
CVE-2020-6445: Insufficient policy enforcement in trusted types. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
[$N/A][ 933172 ] Low CVE-2020-6446: Insufficient policy enforcement in trusted types
Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-18
Severity: low
Red Hat
numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution
vendor_redhat·2019-01-16·CVSS 9.8
CVE-2019-6446 [CRITICAL] CWE-358 numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution
numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution
An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
Statement: Red Hat Enterprise Virtualization Management Appliance includes the vulnerable version of numpy, however it is not used and this vulnerability is not exposed.
Red Hat OpenStack Platform includes a vulnerable version of numpy, however it is not used in a vu
No detection rules found.
No public exploits indexed.
arXiv
LLM in the Middle: A Systematic Review of Threats and Mitigations to Real-World LLM-based Systems
arxiv_fulltext·2025-09-12
LLM in the Middle: A Systematic Review of Threats and Mitigations to Real-World LLM-based Systems
LLM in the Middle: A Systematic Review of Threats and \ to Real-World LLM-based Systems
Vitor Hugo Galhardo Moia\,0000-0003-0396-2873,
Igor Jochem Sanz\,0000-0002-1122-0784,
Gabriel Antonio Fontes Rebello\,0000-0003-3344-0734,
Rodrigo Duarte de Meneses\,0009-0008-7026-6863,
Briland Hitaj\,0000-0001-5925-3027, and
Ulf Lindqvist\,0009-0002-5941-0947
Vitor Hugo Galhardo Moia, Igor Jochem Sanz, Gabriel Antonio Fontes Rebello, and Rodrigo Duarte de Meneses are with Instituto de Pesquisas Eldorado, Av. Alan Turing, 275 - Cidade Universit\'aria, Campinas - SP, 13083-898, Brazil (e-mail: [email protected]; [email protected]; [email protected];
[email protected]
Briland Hitaj and Ulf Lindqvist are with the Computer Science Lab, SRI International, 333
arXiv
Threat Assessment in Machine Learning based Systems
arxiv_fulltext·2022-06-30
Threat Assessment in Machine Learning based Systems
Threat Assessment in Machine Learning based Systems
Lionel Nganyewou Tidjon and Foutse Khomh, Senior Member, IEEE
The authors are with Polytechnique Montréal, Montréal, QC H3C 3A7, Canada.
E-mail: \lionel.tidjon, foutse.khomh\@polymtl.ca
## Abstract
Machine learning is a field of artificial intelligence (AI) that is becoming essential for several critical systems, making it a good target for threat actors. Threat actors exploit different Tactics, Techniques, and Procedures (TTPs) against the confidentiality, integrity, and availability of Machine Learning (ML) systems.
During the ML
cycle, they exploit adversarial TTPs to poison data and fool ML-based systems. In recent years, multiple security practices have been proposed for traditional systems but they are not enough to cope with th
Bugzilla
CVE-2019-6446 python3-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-6]
bugzilla·2019-01-21·CVSS 9.8
CVE-2019-6446 [CRITICAL] CVE-2019-6446 python3-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-6]
CVE-2019-6446 python3-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg c
Bugzilla
CVE-2019-6446 numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [fedora-all]
bugzilla·2019-01-21·CVSS 9.8
CVE-2019-6446 [CRITICAL] CVE-2019-6446 numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [fedora-all]
CVE-2019-6446 numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit m
Bugzilla
CVE-2019-6446 python3-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-7]
bugzilla·2019-01-21·CVSS 9.8
CVE-2019-6446 [CRITICAL] CVE-2019-6446 python3-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-7]
CVE-2019-6446 python3-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg c
Bugzilla
CVE-2019-6446 python2-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-7]
bugzilla·2019-01-21·CVSS 9.8
CVE-2019-6446 [CRITICAL] CVE-2019-6446 python2-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-7]
CVE-2019-6446 python2-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg c
Bugzilla
CVE-2019-6446 mingw-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [fedora-all]
bugzilla·2019-01-21·CVSS 9.8
CVE-2019-6446 [CRITICAL] CVE-2019-6446 mingw-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [fedora-all]
CVE-2019-6446 mingw-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fe
Bugzilla
CVE-2019-6446 numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution
bugzilla·2019-01-21·CVSS 9.8
CVE-2019-6446 [CRITICAL] CVE-2019-6446 numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution
CVE-2019-6446 numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.
Upstream issue:
https://github.com/numpy/numpy/issues/12759
Upstream patch:
https://github.com/numpy/numpy/commit/a2bd3a7eabfe053d6d16a2130fdcad9e5211f6bb
Discussion:
Created mingw-numpy tracking bugs for this issue:
Affects: fedora-all [bug 1667956]
Created numpy tracking bugs for this issue:
Affects: fedora-all [bug 1667955]
Created python2-numpy tracking bugs for this issue:
Affects: epel-6 [bug 1667957]
Affects: epel-7 [bug 1667959
Bugzilla
CVE-2019-6446 python2-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-6]
bugzilla·2019-01-21·CVSS 9.8
CVE-2019-6446 [CRITICAL] CVE-2019-6446 python2-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-6]
CVE-2019-6446 python2-numpy: numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg c
Trailofbits
Secure your machine learning with Semgrep
blogs_trailofbits·2022-10-03
Secure your machine learning with Semgrep
tl;dr: Our publicly available Semgrep ruleset now has 11 rules dedicated to the misuse of machine learning libraries. Try it out now!
Picture this: You’ve spent months curating images, trying out different architectures, downloading pretrained models, messing with Kubernetes, and you’re finally ready to ship your sparkling new machine learning (ML) product. And then you get the (hopefully not dreaded) question: What security measures have you put into place?
Maybe you’ve already applied tools like Counterfit and PrivacyRaven to test your model against model extraction and model inversion, but that shouldn’t be the end. You’re not just building a model; you’re building a pipeline. And the crux of your pipeline is the source code. ML models cannot be treated as standalone objects. Their cr
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.htmlhttp://www.securityfocus.com/bid/106670https://access.redhat.com/errata/RHSA-2019:3335https://access.redhat.com/errata/RHSA-2019:3704https://bugzilla.suse.com/show_bug.cgi?id=1122208https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffbhttps://github.com/numpy/numpy/issues/12759https://github.com/numpy/numpy/pull/12889https://github.com/numpy/numpy/pull/13359https://lists.fedoraproject.org/archives/list/[email protected]/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.htmlhttp://www.securityfocus.com/bid/106670https://access.redhat.com/errata/RHSA-2019:3335https://access.redhat.com/errata/RHSA-2019:3704https://bugzilla.suse.com/show_bug.cgi?id=1122208https://github.com/numpy/numpy/issues/12759https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/
2019-01-16
Published