{"id":"PYSEC-2025-34","details":"The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.","aliases":["CVE-2025-46417","GHSA-93mv-x874-956g"],"modified":"2025-04-24T03:42:20.380984Z","published":"2025-04-24T01:15:49Z","references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-93mv-x874-956g"},{"type":"WEB","url":"https://github.com/mmaitre314/picklescan/pull/40"}],"affected":[{"package":{"name":"picklescan","ecosystem":"PyPI","purl":"pkg:pypi/picklescan"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.25"}]}],"versions":["0.0.1","0.0.10","0.0.11","0.0.12","0.0.13","0.0.14","0.0.15","0.0.16","0.0.17","0.0.18","0.0.19","0.0.2","0.0.20","0.0.21","0.0.22","0.0.23","0.0.24","0.0.3","0.0.4","0.0.5","0.0.6","0.0.7","0.0.8","0.0.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2025-34.yaml"}}],"schema_version":"1.7.3"}