A Protection Mechanism Failure vulnerability in picklescan allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., asyncio.unix_events instead of asyncio). When the file, incorrectly deemed safe, is loaded, it can lead to malicious code execution.
( , 0.0.31)
The vulnerability exists in PickleScan's mechanism for identifying unsafe global imports in pickle files. The scanner checks for dangerous modules by comparing the imported module's name against a blocklist using an exact string match. An attacker can circumvent this check by importing a submodule of a dangerous package (e.g., asyncio.unix_events) instead of the parent package itself (asyncio). Because asyncio.unix_events is not an exact match for asyncio in the blocklist, PickleScan fails to flag the import as dangerous, allowing the malicious file to pass the scan.
The following steps demonstrate the bypass.
# 1. Download a malicious pickle file that uses a submodule of a dangerous package.
wget https://huggingface.co/iluem/linux_pkl/resolve/main/asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl
# 2. Scan the file with PickleScan.
picklescan -p asyncio_asyncio_unix_events___UnixSubprocessTransport__start.pkl -g
# Observed Result: PickleScan marks the import as "Suspicious" but fails to identify it as a "dangerous" import, allowing it to pass.
# Expected Result: PickleScan should recognize any submodule of 'asyncio' as dangerous and flag the file as malicious.
No mitigations are supplied for this issue