CVE-2025-46417

HIGH

Picklescan <0.0.25 - Info Disclosure

Title source: llm

Description

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

References (2)

[Exploit, Third Party Advisory] https://github.com/advisories/GHSA-93mv-x874-956g

[Issue Tracking, Patch] https://github.com/mmaitre314/picklescan/pull/40

Scores

CVSS v3 7.5

EPSS 0.0019

EPSS Percentile 40.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-184

Status published

Products (2)

mmaitre314/picklescan < 0.0.25

pypi/picklescan 0 - 0.0.25PyPI

Published Apr 24, 2025

Tracked Since Feb 18, 2026