CVE-2025-10157

Name of the Vulnerable Software and Affected Versions mmaitre314 picklescan versions up to and including 0.0.30

Description A protection mechanism failure in picklescan allows a remote attacker to bypass the unsafe globals check. This occurs because the scanner uses an exact match for module names, enabling malicious payloads to be loaded through submodules of dangerous packages, such as 'asyncio.unix events' instead of 'asyncio'. When a file incorrectly identified as safe is loaded, it can result in the execution of malicious code. The vulnerability could lead to arbitrary code execution on a user's system when processing malicious files packaged in ZIP archives.

Recommendations Versions prior to 0.0.31 are affected. Replace the code at https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L309C9-L309C54 with the following code snippet:

matched key = None
if imported global.module:
  for key in globals in unsafe globals.keys():
    if imported global.module.startswith(key in globals):
      if (imported global.module == key in globals or (len(imported global.module) > len(key in globals) and imported global.module[len(key in globals)] == '.')):
        if matched key is None or len(key in globals) > len(matched key):
          matched key = key in globals
if matched key:
  unsafe filter = unsafe globals[matched key]