CVE-2025-1889

March 5, 2025, 8:49 p.m.

9.8
Critical

Description

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.

Product(s) Impacted

Vendor Product Versions
Mmaitre314
  • Picklescan
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-646
Reliance on File Name or Extension of Externally-Supplied File
The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.
CWE-807
Reliance on Untrusted Inputs in a Security Decision
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a mmaitre314 picklescan / / / / / / / /

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1889

Tags

103e4ec9-0a87-450b-af77-479448ddef11
NVD-CWE-noinfo
CWE-807
CWE-646
2025-03-03
CVE-2025-1889

CVSS Score

9.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: March 3, 2025, 7:15 p.m.
  • Last Modified: March 5, 2025, 8:49 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

103e4ec9-0a87-450b-af77-479448ddef11

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.