Which versions of picklescan are affected by CVE-2025-71323?

picklescan, a critical security tool used to validate machine learning model pipelines, contains a remote code execution vulnerability that completely bypasses its malicious-pickle detection…. A patch is available.

How to fix or mitigate CVE-2025-71323?

Within 24 hours: Inventory all deployments of picklescan, document current versions, and identify which production ML pipelines depend on this tool. Within 7 days: Implement interim protective measures including network isolation of pickle-processing systems, access restrictions to picklescan, and enhanced endpoint monitoring to detect exploitation attempts. Within 30 days: Monitor GHSA-4675-36f9-wf6r advisory and picklescan project repositories for patch availability; develop transition plan to alternative malicious-pickle detection solutions.

picklescan CVE-2025-71323

Q: What is the CVSS score of CVE-2025-71323?

CVE-2025-71323 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.8%.

CRITICAL

Incomplete List of Disallowed Inputs (CWE-184)

2026-06-17 VulnCheck

RCE Picklescan

9.3

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Attacker supplies a pickle remotely (AV:N, PR:N), but a victim action (scanning then loading the file) is required, so UI:R; full RCE yields C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 17, 2026 - 16:47 vuln.today

Analysis Generated

Jun 17, 2026 - 16:47 vuln.today

DescriptionCVE.org

picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox protections and gadget chain detection.

AnalysisAI

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by smuggling the unblocked ctypes module into a pickle payload. A working POC demonstrates loading kernel32.dll via ctypes.WinDLL and invoking WinExec to launch arbitrary commands during pickle deserialization scans or downstream loads. Publicly available exploit code exists in the GHSA-4675-36f9-wf6r advisory, and the flaw undermines the very security guarantee picklescan is deployed to provide for ML model pipelines.

Technical ContextAI

picklescan is a Python tool widely used to vet pickle files (commonly Hugging Face/PyTorch model artifacts) for dangerous imports before deserialization. Its denylist of risky modules omitted ctypes, Python's foreign function interface that can load native shared libraries, call C functions, and access raw memory. CWE-184 (Incomplete List of Disallowed Inputs) captures the root cause: an allow-by-default scanner whose blocklist failed to enumerate a class of equally dangerous primitives. Because pickle's __reduce__ protocol can chain arbitrary callables, an attacker can construct ctypes.WinDLL('kernel32.dll'), retrieve WinExec via operator.itemgetter, and invoke it with operator.methodcaller - none of which trip picklescan's gadget detection.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.33 or later (fix landed in https://github.com/mmaitre314/picklescan/pull/53, commit 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab); pin this minimum version in requirements.txt, Poetry/Pipenv lockfiles, and any CI image baselines. If immediate upgrade is not possible, add ctypes (and related FFI modules such as cffi) to a wrapper denylist around picklescan or pre-filter pickle opcodes that reference ctypes.* before passing files to picklescan - note this is fragile and will miss aliasing. As a stronger compensating control, treat picklescan results as advisory only and load untrusted pickles inside a sandboxed worker with no native library access (seccomp on Linux, AppContainer/Job Object on Windows), accepting the trade-off of added latency and operational complexity. Refer to the GHSA-4675-36f9-wf6r advisory for vendor guidance.

More from same product – last 7 days

CVE-2026-3490 CRITICAL Act Now

10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2025-71320 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

CVE-2025-71321 CRITICAL Act Now

9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71325 CRITICAL Act Now

9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2026-53873 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71323 vulnerability details – vuln.today

Back

picklescan CVE-2025-71323

Severity by source

CVSS VectorVendor: VulnCheck

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code