mmaitre314 PickleScan Improper Input Validation Vulnerability Allowing Pickle File Security Check Bypass

A vulnerability allowing improper input validation has been identified in mmaitre314 PickleScan, affecting versions through 0.0.30. This vulnerability allows remote attackers to bypass security checks for pickle files by using standard pickle files with PyTorch-related file extensions. The issue arises because the scanning logic prioritizes file extensions over the actual content, leading to the potential execution of malicious code when the improperly vetted pickle file is loaded.

Impact

Exploitation of this vulnerability allows malicious pickle files to be disguised with common PyTorch file extensions, bypassing PickleScan's detection. This could lead to the execution of harmful code when the file is opened by a user or application, undermining the security of systems that rely on PickleScan for model safety.

Reproduction

To reproduce this vulnerability, first download a malicious pickle file with a standard .pkl extension and scan it with PickleScan, which should correctly identify the threat. Then, rename the file to use a PyTorch-related extension, such as .bin, and scan it again with PickleScan. This time, the scan will fail to detect the malicious content, demonstrating how the vulnerability allows harmful files to bypass security checks.

Remediation

Users are advised to update to PickleScan version 0.0.31, where this vulnerability has been patched.