Skip to main content

picklescan CVE-2025-71343

| EUVDEUVD-2025-210411 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-04 VulnCheck GHSA-8f67-79jr-8vpr
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered malicious file, no attacker privileges (PR:N), but victim must scan-then-load (UI:R); successful bypass yields arbitrary command execution, so C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 04, 2026 - 03:01 EUVD
Analysis Generated
Jul 04, 2026 - 02:01 vuln.today

DescriptionCVE.org

picklescan before 0.0.30 fails to detect malicious pickle files that exploit lib2to3.pgen2.pgen.ParserGenerator.make_label function in the reduce method. Attackers can craft malicious pickle files with embedded code that evades detection but executes arbitrary commands when pickle.load() is called.

AnalysisAI

Detection bypass in picklescan before 0.0.30 lets attackers smuggle malicious pickle files past the scanner by abusing lib2to3.pgen2.pgen.ParserGenerator.make_label as a reduce callable, so a file that picklescan clears still runs arbitrary commands when downstream code calls pickle.load(). picklescan is the security control itself - a static scanner used to vet ML model artifacts - so this weakness undermines the exact protection teams rely on to catch unsafe pickles. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is documented in VulnCheck and vendor advisories.

Technical ContextAI

picklescan is a Python tool that statically inspects pickle opcode streams to flag dangerous globals/reduce callables before a model is deserialized, and is embedded in ML supply-chain workflows (notably around Hugging Face model loading). The root cause is CWE-502 (Deserialization of Untrusted Data): Python's pickle format permits arbitrary object reconstruction via the __reduce__ protocol, and picklescan maintains an allow/deny model of which callables are dangerous. Here the payload routes execution through lib2to3.pgen2.pgen.ParserGenerator.make_label - a function in the standard library's legacy 2to3 grammar-parsing machinery that was not on picklescan's malicious-callable list - so the malicious REDUCE reference evades the scanner's heuristics while remaining a live code path at unpickle time. The single CPE, cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:*, confirms the flaw is in picklescan itself, not in a consuming application.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.30 or later, which adds detection for the lib2to3.pgen2.pgen.ParserGenerator.make_label bypass; pin the dependency to >=0.0.30 across CI, model-registry, and inference pipelines and rebuild any images that vendor an older copy. Consult the maintainer advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-p9w7-82w4-7q8m and the VulnCheck writeup at https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-lib2to3-pgen2-pgen-parsergenerator-make-label-detection-bypass for confirmation. Where immediate upgrade is not possible, do not treat a clean picklescan result as sufficient: prefer safetensors or other non-pickle formats for model weights (side effect: requires re-exporting models), load untrusted pickles only inside a network-isolated, least-privilege sandbox or container so a bypass yields no useful execution context (side effect: added deployment complexity), and restrict model ingestion to trusted/signed sources (side effect: slows onboarding of third-party models).

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy