Skip to main content

picklescan CVE-2025-71354

| EUVDEUVD-2025-210327 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-24 VulnCheck
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered malicious pickle (AV:N), no auth to the scanner (PR:N), but victim must deserialise the file (UI:R); successful RCE yields full host impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 12:15 vuln.today
Analysis Generated
Jun 24, 2026 - 12:15 vuln.today

DescriptionCVE.org

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

AnalysisAI

Detection bypass in picklescan before 0.0.29 allows attackers to craft malicious pickle files using idlelib.debugobj.ObjectTreeItem.SetText in __reduce__ methods that evade the scanner's dangerous-function checks, resulting in arbitrary command execution when the victim subsequently calls pickle.load(). The flaw turns picklescan from a security control into a false-assurance tool for ML pipelines that consume untrusted PyTorch models. Publicly available exploit code exists via the GHSA advisory, though no public exploit identified in active campaigns at time of analysis.

Technical ContextAI

picklescan is a Python library that statically inspects pickle streams to flag dangerous opcodes and known-bad callables before pickle.load() is invoked, commonly used in ML supply chains to vet PyTorch model files. CWE-502 (Deserialization of Untrusted Data) is the root cause: picklescan maintains an allow/deny list of callables, but idlelib.debugobj.ObjectTreeItem.SetText - a method exposed by the stdlib IDLE debugger - was not in its denylist despite being a usable code-execution sink when wrapped in __reduce__. The CPE cpe:2.3:a:picklescan:picklescan:*:*:* identifies the pip-distributed picklescan package as the affected component; the underlying pickle protocol and idlelib remain unchanged.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.29 or later (pip install --upgrade picklescan>=0.0.29), which adds idlelib.debugobj.ObjectTreeItem.SetText to the denylist per commit aecd11be98702caa9ba9b12189d91ad596a36114 referenced in GHSA-3vg9-h568-4w9m. Until upgraded, treat picklescan output as advisory rather than authoritative: refuse pickle-format model files from untrusted sources and require safetensors equivalents where available (trade-off: not all upstream models publish safetensors weights, so some HF integrations may break). As a structural mitigation, load suspect pickles only inside an unprivileged sandbox or ephemeral container with no outbound network and read-only filesystem so that a successful __reduce__ payload cannot pivot - note that this adds latency to model-loading pipelines and may need orchestrator changes.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy