Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-hf6h-9wq7-hmjg

GitHub Security Advisory

Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

✓ GitHub Reviewed CRITICAL Withdrawn
View on GitHub

Advisory Details

### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references.

### Original Description
A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio').

When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.

Affected Packages

PyPI picklescan
Affected versions: 0 (fixed in 0.0.31)

Key Information

GHSA ID
GHSA-hf6h-9wq7-hmjg
Published
September 17, 2025 12:30 PM
Last Modified
September 17, 2025 8:24 PM
CVSS Score
9.0 /10
Primary Ecosystem
PyPI
Primary Package
picklescan
GitHub Reviewed
✓ Yes
Withdrawn
September 17, 2025 8:24 PM

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.