Which versions of picklescan are affected by CVE-2025-71321?

picklescan, a security gating tool for machine learning model validation, contains an arbitrary file write vulnerability (CVE-2025-71321, CVSS 9.3) that allows attackers to bypass safety controls and…. A patch is available.

How to fix or mitigate CVE-2025-71321?

Within 24 hours: Identify all systems running picklescan versions prior to 0.0.33; isolate or monitor affected ML pipelines for suspicious activity. Within 7 days: Implement compensating controls-discontinue pickle-based model loading (migrate to ONNX or TorchScript), restrict model sources to trusted internal repositories, and enforce strict file system access controls on model-loading processes. Within 30 days: Monitor picklescan project for patch release (target version 0.0.33 or later); develop and test upgrade plan; evaluate long-term migration to alternative serialization formats.

picklescan CVE-2025-71321

Q: What is the CVSS score of CVE-2025-71321?

CVE-2025-71321 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.6%.

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-17 VulnCheck

Denial Of Service Deserialization RCE Picklescan

9.3

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Payload is delivered network-wide (e.g., model hub) but the victim must choose to scan-then-load an attacker-supplied pickle, so UI:R; no auth needed and impact is full host compromise.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 17, 2026 - 16:45 vuln.today

Analysis Generated

Jun 17, 2026 - 16:45 vuln.today

DescriptionCVE.org

picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code execution.

AnalysisAI

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing distutils.file_util.write_file inside crafted pickle payloads. Because picklescan is used as a safety gate before loading ML model pickles, a bypass means malicious models pass scanning and can overwrite files on disk to achieve denial of service or remote code execution. Publicly available exploit code exists in the GHSA advisory, though there is no public exploit identified at time of analysis indicating active exploitation.

Technical ContextAI

picklescan is a Python library used to statically inspect pickle files (commonly Hugging Face / PyTorch model artifacts) for dangerous opcodes and imports before unpickling. It maintains a denylist of known-bad callables such as builtins.open and shutil.* that can be used to write or overwrite files via pickle's __reduce__ mechanism. The root cause is CWE-502 (Deserialization of Untrusted Data) compounded by an incomplete blocklist: distutils.file_util.write_file performs the same arbitrary file write primitive but was not enumerated, so a __reduce__ returning (distutils.file_util.write_file, (path, lines)) is reported as safe by the scanner and then writes attacker-controlled content when the consuming application loads the pickle. The affected component is cpe:2.3:a:picklescan:picklescan:* up to 0.0.32.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.33 or later (pip install --upgrade picklescan), which adds distutils to the dangerous globals list per the upstream fix in https://github.com/mmaitre314/picklescan/pull/53 and commit 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab; see the advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4. Where immediate upgrade is not possible, supplement scanning by extending your own denylist to include distutils.file_util.write_file (and audit for other writable callables such as os.* and pathlib writes), or refuse to unpickle any model from untrusted sources and prefer safetensors-format weights instead - the trade-off is that legitimate distutils-using pickles will be blocked and migrating off pickle requires re-saving models. Treat picklescan as one defense layer only and sandbox the unpickling process (separate user, read-only filesystem, no SSH key access) so that even an arbitrary write cannot reach .ssh/authorized_keys or webroot config.

More from same product – last 7 days

CVE-2026-3490 CRITICAL Act Now

10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2025-71320 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

CVE-2025-71323 CRITICAL Act Now

9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71325 CRITICAL Act Now

9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2026-53873 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71321 vulnerability details – vuln.today

Back

picklescan CVE-2025-71321

Severity by source

CVSS VectorVendor: VulnCheck

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code