picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| picklescan(PyPI) | 0 | 0.0.22 | N/A |
CVSS Metrics
