PYSEC-2026-1783
Vulnerability from pysec - Published: 2026-07-07 16:03 - Updated: 2026-07-07 17:25
VLAI
Details
Summary
Picklescan uses the numpy.f2py.crackfortran._eval_length function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.
Details
Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran._eval_length in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.
PoC
class PoC:
def __reduce__(self):
from numpy.f2py.crackfortran import _eval_length
return _eval_length, ("__import__('os').system('whoami')", None)
Impact
- Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
- Enables supply‑chain poisoning of shared model files.
Credits
Severity
Impacted products
| Name | purl | picklescan | pkg:pypi/picklescan |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan",
"purl": "pkg:pypi/picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.33"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.1",
"0.0.10",
"0.0.11",
"0.0.12",
"0.0.13",
"0.0.14",
"0.0.15",
"0.0.16",
"0.0.17",
"0.0.18",
"0.0.19",
"0.0.2",
"0.0.20",
"0.0.21",
"0.0.22",
"0.0.23",
"0.0.24",
"0.0.25",
"0.0.26",
"0.0.27",
"0.0.28",
"0.0.29",
"0.0.3",
"0.0.30",
"0.0.31",
"0.0.32",
"0.0.4",
"0.0.5",
"0.0.6",
"0.0.7",
"0.0.8",
"0.0.9"
]
}
],
"aliases": [
"CVE-2025-71339",
"GHSA-6556-fwc2-fg2p"
],
"details": "### Summary\n\nPicklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.\n\n### Details\n\nPicklescan fails to detect a malicious pickle that uses the gadget `numpy.f2py.crackfortran._eval_length` in `__reduce__`, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker\u2011controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.\n\n### PoC\n```python\nclass PoC:\n def __reduce__(self):\n from numpy.f2py.crackfortran import _eval_length\n return _eval_length, (\"__import__(\u0027os\u0027).system(\u0027whoami\u0027)\", None)\n```\n\n### Impact\n\n- Arbitrary code execution on the victim machine once they load the \u201cscanned as safe\u201d pickle / model file.\n- Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.\n- Enables supply\u2011chain poisoning of shared model files.\n\n### Credits\n- [ac0d3r](https://github.com/ac0d3r)\n- [Tong Liu](https://lyutoon.github.io), Institute of information engineering, CAS",
"id": "PYSEC-2026-1783",
"modified": "2026-07-07T17:25:02.114122Z",
"published": "2026-07-07T16:03:14.498992Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/pull/53"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/picklescan"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-6556-fwc2-fg2p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71339"
}
],
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…