CVE-2025-10157
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-11-13
Assigner: JFrog
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mmaitre314 | picklescan | to 0.0.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Protection Mechanism Failure in the mmaitre314 picklescan tool (versions up to 0.0.30) that allows a remote attacker to bypass the unsafe globals check. The scanner only performs an exact match for module names, so an attacker can exploit this by using submodules of dangerous packages (for example, 'asyncio.unix_events' instead of 'asyncio'). This causes the scanner to incorrectly consider a malicious file as safe, which when loaded after scanning, can lead to execution of malicious code.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious code remotely by bypassing the safety checks of the picklescan scanner. This could lead to unauthorized code execution on your system, potentially compromising system integrity, confidentiality, and availability.