SecuriTricks - CVE-2025-46417

Description

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

Product(s) Impacted

Vendor	Product	Versions
Picklescan	Picklescan	<0.0.25
Python	Ssl	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-184

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	picklescan	picklescan	<0.0.25	/	/	/	/	/	/	/
a	python	ssl	/	/	/	/	/	/	/	/

References

https://github.com/advisories/GHSA-93mv-x874-956g

https://github.com/mmaitre314/picklescan/pull/40

https://github.com/advisories/GHSA-93mv-x874-956g

CVSS Score

6.8 / 10

CVSS Data - 4.0

Attack Vector: LOCAL
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: PASSIVE
Scope:
Confidentiality Impact: HIGH
Integrity Impact: NONE
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: April 24, 2025, 1:15 a.m.
Last Modified: April 24, 2025, 3:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

CVE-2025-46417