PickleScan
CVE-2025-71322
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious pickle is delivered over the network and requires the victim to load the file (UI:R); no prior auth or privileges are needed, and pickle deserialization yields full code execution (C/I/A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
AnalysisAI
Security check bypass in PickleScan versions before 0.0.33 allows attackers to smuggle arbitrary code execution payloads past the scanner by invoking the pty.spawn function, which was omitted from the unsafe globals deny-list. Publicly available exploit code exists (released as part of the HeroCTF 2025 'Irreductible 2' challenge writeup), and the flaw is particularly impactful for platforms like Hugging Face and other ML pipelines that rely on PickleScan to vet PyTorch model files. No public exploit identified at time of analysis in CISA KEV.
Technical ContextAI
PickleScan is a static analysis tool maintained by mmaitre314 that inspects Python pickle streams (commonly embedded inside PyTorch .pt/.bin files and ZIP archives) for references to dangerous globals such as os.system, subprocess.Popen, or eval that would execute code when the pickle is deserialized. The tool relies on an allow/deny list of module-function pairs; CWE-693 (Protection Mechanism Failure) applies because the denylist was incomplete - the standard-library pty module's spawn() function, which internally invokes os.execlp on its first argument, was classified merely as 'suspicious' rather than 'dangerous'. An attacker can therefore hand-craft a pickle stream using the GLOBAL opcode to reference pty.spawn with arguments like ['/bin/sh'], and when the pickle is unpickled (e.g., via torch.load) the spawn call yields an interactive shell under the loading process. The CPE cpe:2.3:a:picklescan:picklescan:*:*:* indicates all versions prior to the fix are affected.
RemediationAI
Vendor-released patch: upgrade picklescan to 0.0.33 or later (pip install --upgrade picklescan), which adds pty.spawn to the dangerous-globals list per upstream PR https://github.com/mmaitre314/picklescan/pull/53 and commit 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab. Operators of model-hosting platforms should rebuild and redeploy any container images or services that pin an older picklescan version, and re-scan recently uploaded models with the fixed scanner since previously cleared artifacts may still contain pty.spawn payloads. As compensating controls until the upgrade is rolled out, refuse to deserialize pickle-based model formats and require safer alternatives such as safetensors, or load untrusted models inside a sandboxed/unprivileged container with no shell available on PATH (which neutralises pty.spawn's /bin/sh invocation) - note that the sandbox approach still permits other unsafe globals not covered by this CVE, so it is not a substitute for the patch.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-693 – Protection Mechanism Failure
View allShare
External POC / Exploit Code
Leaving vuln.today