Picklescan Security Bypass Vulnerability via Non-Standard Pickle File Extensions

A vulnerability in Picklescan versions prior to 0.0.22 allows attackers to bypass security scans by using non-standard file extensions for malicious pickle files. Picklescan only scans files with standard extensions, such as .pkl or .pt. This vulnerability can be exploited by embedding a malicious pickle file with a non-standard extension into a PyTorch model, which would then be loaded without detection, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for the injection of malicious code into PyTorch models, which can evade detection by Picklescan and execute when the model is loaded. This creates a risk of remote code execution and could be used in supply chain attacks, backdooring pre-trained models distributed via repositories like Hugging Face or PyTorch Hub.

Reproduction

To reproduce this vulnerability, create a PyTorch model and save it normally. Then, craft a second pickle file containing a malicious payload and modify the model to load this file when opened. The inclusion of the malicious file with a non-standard extension will bypass Picklescan's security checks.

Remediation

Users can update to Picklescan version 0.0.22, which addresses this vulnerability. As a precaution, the project has published a GitHub advisory regarding this issue.