Skip to main content

picklescan CVE-2025-71362

| EUVDEUVD-2025-210418 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-04 VulnCheck GHSA-r9x2-mw85-9c4x
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Untrusted file delivered over the network (AV:N) but success needs a specific crackfortran gadget plus numpy present (AC:H) and the victim must load the file (UI:R); arbitrary code execution yields full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 04, 2026 - 03:01 EUVD
Analysis Generated
Jul 04, 2026 - 02:13 vuln.today

DescriptionCVE.org

picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources.

AnalysisAI

Malicious-pickle detection bypass in picklescan before 0.0.33 lets attackers smuggle arbitrary code past the scanner by abusing numpy.f2py.crackfortran functions that call eval() on attacker-controlled strings. Because picklescan is itself the security tool meant to vet untrusted pickle/model files, this evasion causes a weaponized pickle to be marked safe, so the embedded code executes when the file is later deserialized. Reported by VulnCheck with a CVSS 4.0 score of 7.6; no public exploit identified at time of analysis and it is not in CISA KEV.

Technical ContextAI

picklescan is a Python utility that statically inspects pickle opcode streams for dangerous global imports/callables before an object or model is unpickled, and is widely used to guard ML supply chains (e.g. models pulled from public hubs). The root cause is CWE-502 (Deserialization of Untrusted Data) manifesting as an incomplete detection blocklist: picklescan did not classify numpy.f2py.crackfortran helper functions as dangerous, yet several of those functions internally call eval() on string arguments. An attacker can craft a pickle whose GLOBAL/REDUCE opcodes invoke a crackfortran function with a malicious expression, which the scanner deems benign but which evaluates arbitrary Python at load time. The affected component per CPE is cpe:2.3:a:picklescan:picklescan up to 0.0.32, fixed in 0.0.33; exploitation additionally depends on numpy being importable in the victim environment.

RemediationAI

Upgrade picklescan to the fixed release - Vendor-released patch: 0.0.33 - via pip (pip install --upgrade 'picklescan>=0.0.33') and rebuild any container images or CI pipelines that pin an older version, per GHSA-r8g5-cgf2-4m4m. Until upgraded, do not treat a picklescan pass as proof of safety for untrusted pickles: prefer safer serialization such as safetensors for model weights, and load untrusted pickles only in a sandboxed, network-isolated, least-privilege environment so the eval payload cannot cause real damage, at the cost of added operational overhead. As an additional compensating control, explicitly add numpy.f2py.crackfortran (and the broader numpy.f2py namespace) to any custom deserialization deny logic to block this specific gadget, accepting that such a hand-maintained list may still miss other eval sinks.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy