Skip to main content

picklescan CVE-2025-71325

CRITICAL
Unchecked Error Condition (CWE-391)
2026-06-17 VulnCheck
Authentication Bypass Picklescan
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-delivered malicious pickle, no attacker auth, but a victim must load the file (UI:R); scope changes because the scanner's failure causes RCE in a separate loader process with full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 16:48 vuln.today
Analysis Generated
Jun 17, 2026 - 16:48 vuln.today

DescriptionCVE.org

picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigger unexpected exceptions and evade security scanning.

AnalysisAI

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past the scanner by exploiting an off-by-one parsing error in STACK_GLOBAL opcode handling. The flaw, reported by VulnCheck and tracked under GHSA-9gvj-pp9x-gcfr, lets crafted pickles trigger an unexpected exception in _list_globals so dangerous imports such as os.system go unflagged; a working PoC is published in the advisory and a vendor patch is available, though no public exploitation against deployments has been observed.

Technical ContextAI

picklescan is a Python library used to statically scan pickle files for unsafe globals before deserialization, and the same parsing logic was reused by modelscan and by Hugging Face's online pickle scanners. In scanner.py the _list_globals function walks pickle opcodes and, when it sees a STACK_GLOBAL opcode at position n, must locate the two preceding string arguments that name the module and attribute being resolved. The buggy code iterates range(1, n), which excludes position 0, so an attacker who places the first string argument at offset 0 makes the scanner find only one of the two expected arguments and raise an exception that aborts inspection of that opcode rather than logging os.system or similar dangerous globals. CWE-391 (Unchecked Error Condition) captures the root cause: the parser treats its own failure to parse as benign instead of treating an unparseable STACK_GLOBAL as suspicious. CPE coverage is limited to cpe:2.3:a:picklescan:picklescan:*, but the GHSA notes the same logic flaw impacts modelscan and Hugging Face's hosted scanners.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.27 or later (pip install --upgrade picklescan>=0.0.27); the corrective change in commit 2a8383cfeb4158567f9770d86597300c9e508d0f fixes the iteration range in _list_globals so that the argument at position 0 is tracked. Confirm any downstream wrappers - notably modelscan and self-hosted forks of the Hugging Face scanner - have either upgraded their picklescan dependency or applied the equivalent range(1, n+1) fix before trusting their verdicts again. As a compensating control until upgrade is complete, treat picklescan/modelscan results as advisory only and either refuse to deserialize third-party pickles outright, transcode models through a safer format such as safetensors before loading, or run pickle.load only inside a sandboxed, network-isolated worker - each of these stops downstream RCE but breaks workflows that rely on transparent pickle ingestion. Monitor for picklescan exceptions or parse errors in scanner logs and reject the file rather than allow-listing on parser failure, since the bypass manifests precisely as an unhandled exception during scan.

More from same product – last 7 days

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

Share

CVE-2025-71325 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy