{"id":"PYSEC-2025-18","details":"picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.","aliases":["CVE-2025-1716","CVE-2025-1889","GHSA-655q-fx9r-782v","GHSA-769v-p64c-89pr","PYSEC-2025-19"],"modified":"2025-04-09T17:41:59.485766Z","published":"2025-02-26T15:15:24Z","references":[{"type":"ADVISORY","url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v"},{"type":"FIX","url":"https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d"},{"type":"WEB","url":"https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1716"}],"affected":[{"package":{"name":"picklescan","ecosystem":"PyPI","purl":"pkg:pypi/picklescan"},"ranges":[{"type":"GIT","repo":"https://github.com/mmaitre314/picklescan","events":[{"introduced":"0"},{"fixed":"78ce704227c51f070c0c5fb4b466d92c62a7aa3d"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.21"}]}],"versions":["0.0.1","0.0.10","0.0.11","0.0.12","0.0.13","0.0.14","0.0.15","0.0.16","0.0.17","0.0.18","0.0.19","0.0.2","0.0.20","0.0.3","0.0.4","0.0.5","0.0.6","0.0.7","0.0.8","0.0.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-18.yaml"}}],"schema_version":"1.7.3"}