pickle.load in Snorkel BaseLabeler.loadMITRE service request: 1987825
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python’s pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim’s system when the file is loaded via the vulnerable method.
BaseLabeler.load(source=...) performs native pickle.load on attacker-controlled paths. Pickle is not a safe interchange format—loading untrusted .pkl is equivalent to running untrusted bytecode.
617c92400c50e95ce41fcee84309a86f76cf525c).pickle.load on user source path.__reduce__ gadget inside pickle blob.BaseLabeler.load inside labeling pipelines.Critical — pickle is inherently executable.