CVE-2025-1716
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via pip.main(). Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mmaitre314 | picklescan | 0.0.1 <= 0.0.20 | affected |
Weaknesses
- CWE-184: CWE-184 Incomplete List of Disallowed Inputs
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.sonatype.com/security-advisories/cve-2025-1716
- https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.