CVE-2025-10157 – This vulnerability allows attackers to bypass p... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to bypass picklescan's unsafe globals check by using submodule imports instead of exact package names. Attackers can load malicious pickle files that appear safe during scanning but execute arbitrary code when loaded. Anyone using picklescan versions up to 0.0.30 to validate pickle files is affected.

💻 Affected Systems

Products:

mmaitre314 picklescan

Versions: All versions up to and including 0.0.30

Operating Systems: All platforms where Python runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when scanning pickle files that import dangerous packages via submodules.

📦 What is this software?

Picklescan by Mmaitre314

View all CVEs affecting Picklescan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Malicious pickle files bypassing security checks and executing arbitrary code in applications that rely on picklescan for validation.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege, and additional validation layers.

🌐 Internet-Facing: MEDIUM - Exploitation requires uploading or processing malicious pickle files through vulnerable interfaces.

🏢 Internal Only: MEDIUM - Internal applications processing pickle files from untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept pickle files are publicly available. Exploitation requires the target to load a malicious pickle file after scanning.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.31 or later

Vendor Advisory: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr

Restart Required: No

Instructions:

1. Update picklescan: pip install --upgrade picklescan
2. Verify version is 0.0.31 or higher
3. Re-scan any previously scanned pickle files

🔧 Temporary Workarounds

Manual submodule validation

all

Add custom validation to check for dangerous submodule imports in pickle files

# Custom Python script to validate pickle imports beyond picklescan

🧯 If You Can't Patch

Disable pickle file processing from untrusted sources entirely
Implement additional validation layers using multiple security tools

🔍 How to Verify

Check if Vulnerable:

Check picklescan version: pip show picklescan | grep Version

Check Version:

python -c "import picklescan; print(picklescan.__version__)"

Verify Fix Applied:

Confirm version is 0.0.31 or higher and test with known malicious pickle files

📡 Detection & Monitoring

Log Indicators:

Failed or bypassed picklescan validations
Unusual pickle file processing activity

Network Indicators:

Unexpected pickle file uploads to web applications

SIEM Query:

process.name:python AND command_line:*pickle* AND (command_line:*asyncio.unix_events* OR command_line:*submodule*)

📊 Metadata

CVE ID: CVE-2025-10157

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-693

EPSS Score: 0.16% exploit probability (37.1th percentile)

Published: September 17, 2025

Last Updated: November 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10157, you might also want to check these: