Which versions of picklescan are affected by CVE-2025-71348?

picklescan, a library that validates PyTorch model files for malicious code, contains a detection bypass (CVE-2025-71348) enabling attackers to inject remote code execution through specially crafted…. A patch is available.

How to fix or mitigate CVE-2025-71348?

24 hours: Identify all systems running picklescan and audit recent model imports for suspicious sources. 7 days: Upgrade to picklescan 0.0.28 or later across all ML pipelines. 30 days: Conduct forensic review of pickle files processed by picklescan during the vulnerable window (before patch deployment) for signs of exploit attempts.

picklescan CVE-2025-71348

Q: What is the CVSS score of CVE-2025-71348?

CVE-2025-71348 has a CVSS 4.0 base score of 7.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2025-210291 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-21 VulnCheck

GHSA-qvp4-q2p5-22gg

Deserialization RCE Picklescan

7.6

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

7.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Pickle is delivered over the network (AV:N), no auth needed (PR:N), but the victim must load the file (UI:R); successful deserialization yields full code execution, so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 22, 2026 - 06:00 vuln.today

Analysis Generated

Jun 22, 2026 - 06:00 vuln.today

Patch available

Jun 21, 2026 - 15:31 EUVD

DescriptionCVE.org

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply chain attacks.

AnalysisAI

Detection bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code through pickle files by abusing torch.utils._config_module.load_config inside __reduce__ methods, defeating the library's malicious-pickle scanning and enabling remote code execution when the file is later loaded. Publicly available exploit code exists (GHSA-vv6j-3g6g-2pvj includes a working PoC), and the flaw is significant for any ML pipeline that trusts picklescan to vet third-party PyTorch model files. No CISA KEV listing at time of analysis, so exploitation status is limited to public POC rather than confirmed in-the-wild use.

Technical ContextAI

picklescan is a Python library that statically inspects pickle streams for dangerous opcodes and known-bad callables before pickle.load is invoked, and is widely used as a safety gate in front of PyTorch model loading. The root cause is CWE-502 (Deserialization of Untrusted Data): the scanner's allow/deny logic did not recognize torch.utils._config_module.load_config as a dangerous import, so a __reduce__ tuple that names this PyTorch internal as the callable passes scanning while still triggering arbitrary execution at deserialization time. ConfigModule.load_config internally evaluates the provided configuration payload, which an attacker uses as a secondary stage to invoke os.system or any other callable. Per the CPE cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* every release up to and including 0.0.27 is affected.

RemediationAI

Vendor-released patch: 0.0.28 - upgrade with 'pip install --upgrade picklescan>=0.0.28' as the primary fix, per GHSA-vv6j-3g6g-2pvj and the upstream PR https://github.com/mmaitre314/picklescan/pull/47 and commit https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53. Where immediate upgrade is not possible, add torch.utils._config_module.load_config and the broader torch.utils._config_module namespace to any local denylist used alongside picklescan, or refuse to deserialize PyTorch checkpoints that arrive as raw pickle and switch consumers to the safetensors format (trade-off: requires re-exporting models and may break code paths that rely on Python objects inside the checkpoint). As a defensive control, run pickle.load only inside a sandboxed, network-egress-restricted worker so that even a successful bypass cannot reach internal systems; this adds operational complexity but contains supply-chain payloads.

More from same product – last 7 days

CVE-2026-3490 CRITICAL Act Now

10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2025-71320 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

CVE-2025-71321 CRITICAL Act Now

9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71323 CRITICAL Act Now

9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71325 CRITICAL Act Now

9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71348 vulnerability details – vuln.today

Back

picklescan CVE-2025-71348

Severity by source

CVSS VectorVendor: VulnCheck

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code