Which versions of Picklescan are affected by CVE-2025-71339?

Picklescan before version 0.0.33 fails to detect a critical code execution gadget chain, allowing malicious pickle files to bypass security validation and execute arbitrary Python code on load.

How to fix or mitigate CVE-2025-71339?

24 hours: Enumerate all systems and CI/CD pipelines using Picklescan; identify versions currently deployed. 7 days: Audit recent pickle and PyTorch model sources to assess supply-chain exposure; review intake workflows for compromised artifacts. 30 days: Implement compensating controls (sandboxed loading environment, cryptographic signature verification, code review of pickle-handling paths) and monitor for vendor patch availability.

Picklescan CVE-2025-71339

Q: What is the CVSS score of CVE-2025-71339?

CVE-2025-71339 has a CVSS 4.0 base score of 7.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-22 VulnCheck

RCE Deserialization Python Picklescan

7.6

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

7.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.1 HIGH

Network-delivered malicious file, victim must run Picklescan and load it (UI:R); no auth needed (PR:N); RCE yields C:H/I:H but no inherent availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 22, 2026 - 22:15 vuln.today

Analysis Generated

Jun 22, 2026 - 22:15 vuln.today

DescriptionCVE.org

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.

AnalysisAI

Arbitrary code execution in Picklescan before 0.0.33 occurs because the scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside a pickle __reduce__ method, allowing crafted pickle files to be marked safe while still executing attacker-supplied Python on load. Workflows that rely on Picklescan to vet untrusted pickle or PyTorch model artifacts are exposed to supply-chain poisoning, and publicly available exploit code exists in the GHSA advisory.

Technical ContextAI

Picklescan is a Python library used to statically inspect pickle files for dangerous imports and callable references before pickle.load() is invoked, commonly applied to PyTorch model checkpoints distributed as untrusted artifacts. The root cause is CWE-502 (Deserialization of Untrusted Data) combined with an incomplete denylist: the scanner does not know that numpy.f2py.crackfortran._eval_length - a NumPy F2PY helper that internally evaluates a string expression - can be repurposed as a code-execution gadget when returned from __reduce__. Because pickle reconstruction invokes the returned callable with attacker-controlled arguments, the gadget effectively functions as an eval primitive, bypassing Picklescan's safety verdict. The affected CPE is cpe:2.3:a:picklescan:picklescan prior to 0.0.33.

RemediationAI

Vendor-released patch: upgrade Picklescan to 0.0.33 or later (pip install --upgrade picklescan>=0.0.33), which adds detection for the numpy.f2py.crackfortran._eval_length gadget per PR https://github.com/mmaitre314/picklescan/pull/53 and commit 70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab. Until the upgrade is rolled out, do not rely on Picklescan's verdict as the sole gate for loading untrusted pickle or PyTorch model files: prefer safetensors or other non-executable serialization formats, sandbox pickle.load() in a disposable process or container with no network and no credentials, and pin model sources to trusted publishers with signature verification (trade-off: safetensors does not support arbitrary Python objects, and sandboxing adds latency and orchestration cost). Additionally, denylist numpy.f2py.crackfortran._eval_length in any internal pickle allowlist scanners as a stopgap, recognizing that other equivalent gadgets likely remain undiscovered.

More from same product – last 7 days

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-10561 CRITICAL Act Now

10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-55255 CRITICAL Act Now

9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

CVE-2025-71339 vulnerability details – vuln.today

Back