Skip to main content

picklescan CVE-2025-71341

| EUVDEUVD-2025-210305 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-23 VulnCheck GHSA-mg57-j93w-g3c7
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered malicious file (AV:N), no auth needed (PR:N), but victim must load the scanned pickle (UI:R); full RCE yields C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:02 vuln.today
Analysis Generated
Jun 23, 2026 - 13:02 vuln.today

DescriptionCVE.org

picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution when the pickle file is loaded.

AnalysisAI

Detection bypass in picklescan prior to 0.0.29 allows attackers to smuggle remote code execution payloads through pickle files that the scanner incorrectly classifies as safe. The library fails to flag the built-in profile.Profile.runctx function when used in a __reduce__ method, so a downstream pickle.load() of the scanned file executes arbitrary Python. Publicly available exploit code exists in the GHSA-6vqj-c2q5-j97w advisory, though no active exploitation has been reported.

Technical ContextAI

picklescan is a Python static-analysis tool used to vet pickle files (commonly PyTorch model weights) for dangerous opcodes and callables before deserialization. CWE-502 (Deserialization of Untrusted Data) applies here in a layered way: pickle itself is the deserialization sink, while picklescan is the compensating control that is supposed to deny-list risky callables. The library maintains a list of known-bad imports (os.system, subprocess.*, eval, etc.) but missed profile.Profile.runctx - a stdlib profiler method that takes a string of code and an exec-style globals/locals pair, effectively equivalent to exec(). Affected CPE is cpe:2.3:a:picklescan:picklescan:* up to versions below 0.0.29, with the gap closed by commit aecd11b.

RemediationAI

Upgrade picklescan to version 0.0.29 or later, which adds profile.Profile.runctx to the detection list per commit aecd11be98702caa9ba9b12189d91ad596a36114; pin this minimum in requirements files and rebuild any container images that bundle the scanner. Review the GHSA-6vqj-c2q5-j97w advisory for the full patch details. As a compensating control until upgraded, treat picklescan results as advisory only and load untrusted pickle files inside a sandboxed worker (seccomp/gVisor/firejail) with no network egress and no filesystem write outside a tmpfs - accepting the latency and operational overhead of the sandbox - or convert incoming model weights to safetensors before loading, which eliminates the pickle code-execution surface entirely at the cost of requiring re-export of legacy artifacts.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy