Which versions of picklescan are affected by CVE-2025-71344?

picklescan versions 0.0.26 and earlier contain a detection bypass vulnerability enabling remote code execution through malicious pickle files; publicly available exploit code exists.. A patch is available.

How to fix or mitigate CVE-2025-71344?

Within 24 hours: identify all systems running picklescan 0.0.26 or earlier and assess exposure to untrusted pickle file sources. Within 7 days: upgrade all instances to picklescan 0.0.30 or later across development, CI/CD, and production environments. Within 30 days: implement cryptographic verification of pickle file origins and deploy monitoring on pickle deserialization operations.

picklescan CVE-2025-71344

Q: What is the CVSS score of CVE-2025-71344?

CVE-2025-71344 has a CVSS 4.0 base score of 7.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2025-210302 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-22 VulnCheck

RCE Deserialization Picklescan

7.6

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

7.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Network-delivered malicious file (AV:N), no auth (PR:N), but victim must scan-then-load (UI:R); _run_pip yields full code execution so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

Jun 22, 2026 - 23:02 EUVD

Source Code Evidence Fetched

Jun 22, 2026 - 22:15 vuln.today

Analysis Generated

Jun 22, 2026 - 22:15 vuln.today

DescriptionCVE.org

picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.

AnalysisAI

Detection bypass in picklescan versions 0.0.26 and earlier (fixed in 0.0.30) allows attackers to smuggle arbitrary code through malicious pickle files by abusing Python's built-in ensurepip._run_pip function, which the scanner failed to flag as dangerous. Organizations relying on picklescan to vet PyTorch models or other serialized Python objects will load the file as safe and trigger remote code execution upon pickle.load(). Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified in active campaigns at time of analysis.

Technical ContextAI

picklescan is a Python library that statically analyzes pickle files for dangerous opcodes and function references before deserialization, used heavily in the ML ecosystem (notably for PyTorch model vetting) where pickle deserialization is unavoidable. The vulnerability is a classic CWE-502 (Deserialization of Untrusted Data) detection-bypass: picklescan's denylist of dangerous callables did not include ensurepip._run_pip, a built-in stdlib helper that invokes pip with arbitrary arguments. An attacker places _run_pip in a class's __reduce__ method so that pickle.loads/load executes it, and because the scanner does not recognize the symbol, the file passes pre-load safety checks. Affected CPE is cpe:2.3:a:picklescan:picklescan up to and including 0.0.26 (advisory states <0.0.30).

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.30 or later (pip install --upgrade picklescan>=0.0.30), which adds ensurepip._run_pip to the dangerous-callable detection set per commit 1931c2d04eaca8d20597705ff39cab78ba364e4b. Until upgraded, treat picklescan results from older versions as non-authoritative and either refuse to load pickle files from untrusted sources entirely, switch to safer model formats such as safetensors for PyTorch weights (eliminates pickle execution risk but requires re-exporting models), or run pickle.load only inside a sandboxed/ephemeral container with no network egress and minimal filesystem privileges to contain _run_pip's ability to fetch and install arbitrary packages. Consult the GHSA advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-xp4f-hrf8-rxw7 for the authoritative fix details.

More from same product – last 7 days

CVE-2026-3490 CRITICAL Act Now

10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2025-71320 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

CVE-2025-71321 CRITICAL Act Now

9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71323 CRITICAL Act Now

9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71325 CRITICAL Act Now

9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71344 vulnerability details – vuln.today

Back

picklescan CVE-2025-71344

Severity by source

CVSS VectorVendor: VulnCheck

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code