CRITICAL🇵🇱 Wersja polska

CVE-2025-10157

CVSS 9.3v4.0pub. 2025-09-17upd. 2025-11-13

A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Mmaitre314 Picklescan

    APP
    Mmaitre314
    < 0.0.31
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10156CRITICAL9.3PL ✓ten sam produkt

Picklescan: Ominięcie skanowania bezpieczeństwa przez błędny CRC w archiwum ZIP

CVE-2025-10155CRITICAL9.3PL ✓ten sam produkt

Obejście skanowania plików pickle przez nieprawidłową walidację rozszerzeń PyTorch

CVE-2025-71357HIGH7.6ten sam produkt

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runc...

CVE-2025-71348HIGH7.6ten sam produkt

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_co...

CVE-2025-71378HIGH7.6ten sam produkt

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowin...