GHSA-m7j5-r2p5-c39r
picklescan vulnerable to arbitrary file create using logging.FileHandler
Blast Radius
picklescanReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.
Details
The application deserializes untrusted pickle data. While RCE keywords may be blocked, the exploit abuses standard library features:
logging.FileHandler: The exploit instantiates this class using its default behavior (append mode).
Behavior on Existing Files: If the target file already exists, the handler opens it without modifying its content, resulting in no impact to existing data.
Behavior on Non-Existent Files: If the target file does not exist, the handler creates a new zero-byte file with the specified name.
PoC
import pickle
class WriteFile:
def __reduce__(self):
from logging import FileHandler
return (FileHandler, ('evil.log',))
with open("bypass_write.pkl", "wb") as f:
pickle.dump(WriteFile(), f)
handler = pickle.loads(pickle.dumps(WriteFile()))
Impact
This primitive can be used for Filesystem Pollution or Logic Disruption. For example, an attacker could create specific "lock files" (e.g., maintenance.lock, .lock) that the application checks for, potentially triggering a Denial of Service (DoS) or preventing the application from starting.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | picklescan | all versions | 1.0.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for picklescan. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update picklescan to 1.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-m7j5-r2p5-c39r is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-m7j5-r2p5-c39r is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-m7j5-r2p5-c39r. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-m7j5-r2p5-c39r in your dependencies?
O3 detects GHSA-m7j5-r2p5-c39r across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.