{ "schema_version": "1.4.0", "id": "GHSA-vr75-hjh9-7fr6", "modified": "2025-03-03T20:05:26Z", "published": "2025-03-03T18:31:25Z", "withdrawn": "2025-03-03T20:05:26Z", "aliases": [], "summary": "Duplicate Advisory: Remote Code Execution via Malicious Pickle File Bypassing Static Analysis", "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.", "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "picklescan" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "0.0.21" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1716" }, { "type": "WEB", "url": "https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d" }, { "type": "WEB", "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716" } ], "database_specific": { "cwe_ids": [ "CWE-184" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-03T20:05:26Z", "nvd_published_at": "2025-02-26T15:15:24Z" } }