Skip to main content

PickleScan CVE-2025-71322

HIGH
Protection Mechanism Failure (CWE-693)
2026-06-17 VulnCheck
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Malicious pickle is delivered over the network and requires the victim to load the file (UI:R); no prior auth or privileges are needed, and pickle deserialization yields full code execution (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 16:47 vuln.today
Analysis Generated
Jun 17, 2026 - 16:47 vuln.today

DescriptionCVE.org

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.

AnalysisAI

Security check bypass in PickleScan versions before 0.0.33 allows attackers to smuggle arbitrary code execution payloads past the scanner by invoking the pty.spawn function, which was omitted from the unsafe globals deny-list. Publicly available exploit code exists (released as part of the HeroCTF 2025 'Irreductible 2' challenge writeup), and the flaw is particularly impactful for platforms like Hugging Face and other ML pipelines that rely on PickleScan to vet PyTorch model files. No public exploit identified at time of analysis in CISA KEV.

Technical ContextAI

PickleScan is a static analysis tool maintained by mmaitre314 that inspects Python pickle streams (commonly embedded inside PyTorch .pt/.bin files and ZIP archives) for references to dangerous globals such as os.system, subprocess.Popen, or eval that would execute code when the pickle is deserialized. The tool relies on an allow/deny list of module-function pairs; CWE-693 (Protection Mechanism Failure) applies because the denylist was incomplete - the standard-library pty module's spawn() function, which internally invokes os.execlp on its first argument, was classified merely as 'suspicious' rather than 'dangerous'. An attacker can therefore hand-craft a pickle stream using the GLOBAL opcode to reference pty.spawn with arguments like ['/bin/sh'], and when the pickle is unpickled (e.g., via torch.load) the spawn call yields an interactive shell under the loading process. The CPE cpe:2.3:a:picklescan:picklescan:*:*:* indicates all versions prior to the fix are affected.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.33 or later (pip install --upgrade picklescan), which adds pty.spawn to the dangerous-globals list per upstream PR https://github.com/mmaitre314/picklescan/pull/53 and commit 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab. Operators of model-hosting platforms should rebuild and redeploy any container images or services that pin an older picklescan version, and re-scan recently uploaded models with the fixed scanner since previously cleared artifacts may still contain pty.spawn payloads. As compensating controls until the upgrade is rolled out, refuse to deserialize pickle-based model formats and require safer alternatives such as safetensors, or load untrusted models inside a sandboxed/unprivileged container with no shell available on PATH (which neutralises pty.spawn's /bin/sh invocation) - note that the sandbox approach still permits other unsafe globals not covered by this CVE, so it is not a substitute for the patch.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy