Skip to main content

picklescan CVE-2025-71353

| EUVDEUVD-2025-210414 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-04 VulnCheck GHSA-chm9-4rm6-p4gf
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-delivered malicious artifact but AC:H and UI:R because the victim must load it in a torch environment relying on picklescan; PR:N as no auth is needed, and full RCE gives C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 04, 2026 - 03:01 EUVD
Analysis Generated
Jul 04, 2026 - 02:06 vuln.today

DescriptionCVE.org

picklescan before 0.0.28 fails to detect malicious pickle files that exploit torch._dynamo.guards.GuardBuilder.get function in reduce methods. Attackers can craft pickle files with embedded code that evades picklescan detection and executes arbitrary commands when loaded.

AnalysisAI

Detection bypass in picklescan before 0.0.28 lets attackers smuggle malicious pickle files past the scanner by abusing the torch._dynamo.guards.GuardBuilder.get gadget inside a __reduce__ method, so a file that picklescan reports as safe still executes arbitrary commands when deserialized (e.g. via torch.load). This undermines the security control that ML pipelines and model hubs rely on to vet untrusted model artifacts, turning a trusted-scan result into a false negative. Reported by VulnCheck with a vendor GHSA advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

The affected component (cpe:2.3:a:picklescan:picklescan) is a Python security scanner that statically inspects pickle opcode streams to flag dangerous callables before a model is deserialized. Python's pickle format (CWE-502, Deserialization of Untrusted Data) allows an object to define a __reduce__ method that returns a callable and arguments executed at load time; picklescan works by detecting known-dangerous callables in that stream. This flaw is a gadget-coverage gap: the torch._dynamo.guards.GuardBuilder.get function - part of PyTorch's Dynamo guard machinery - can be reached through a reduce method to obtain code execution, but picklescan's pre-0.0.28 detection logic did not recognize it as a dangerous import, so the crafted stream evades the allow/deny analysis. The actual code-execution primitive lives in PyTorch's deserialization path; picklescan's defect is failing to detect it.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.28 or later, which adds detection for the torch._dynamo.guards.GuardBuilder.get gadget; see GHSA-86cj-95qr-2p4f (https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f) and the VulnCheck writeup (https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-torch-dynamo-guards-guardbuilder-get). Because the flaw is a scanner blind spot rather than a runtime bug, the strongest compensating control is to stop treating pickle scanning as a sufficient trust boundary: prefer non-executable model formats such as safetensors (trade-off: requires re-exporting or converting existing checkpoints), and load untrusted PyTorch checkpoints with weights_only=True where feasible (trade-off: fails on checkpoints that legitimately pickle non-tensor objects). Additionally, load only models from trusted, integrity-verified sources using signing or hash allowlists, and deserialize untrusted artifacts in a sandboxed or network-isolated environment so a successful reduce-method callback cannot reach sensitive systems (trade-off: added pipeline complexity and latency).

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy