GHSA-97f8-7cmv-76j2: Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
(updated )
This is a scanning bypass to scan_pytorch function in picklescan. As we can see in the implementation of get_magic_number() that uses pickletools.genops(data) to get the magic_number with the condition opcode.name includes INT or LONG, but the PyTorch’s implemtation simply uses pickle_module.load() to get this magic_number. For this implementation difference, we then can embed the magic_code into the PyTorch file via dynamic eval on the \_\_reduce\_\_ trick, which can make the pickletools.genops(data) cannot get the magic_code in INT or LONG type, but the pickle_module.load() can still return the same magic_code, eading to a bypass.
References
- github.com/advisories/GHSA-97f8-7cmv-76j2
- github.com/mmaitre314/picklescan/commit/134179474539648ba7dee1317959529fbd0e7f89
- github.com/mmaitre314/picklescan/commit/2a8383cfeb4158567f9770d86597300c9e508d0f
- github.com/mmaitre314/picklescan/commit/b9997634683a4f4bd0c7e3701e7ce7e90fe70e8c
- github.com/mmaitre314/picklescan/security/advisories/GHSA-97f8-7cmv-76j2
- nvd.nist.gov/vuln/detail/CVE-2026-53875
- www.vulncheck.com/advisories/picklescan-scanning-bypass-via-dynamic-eval-in-scan-pytorch
Code Behaviors & Features
Detect and mitigate GHSA-97f8-7cmv-76j2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →