Skip to main content

picklescan CVE-2025-71370

| EUVDEUVD-2025-210307 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-23 VulnCheck GHSA-q8qp-8jq6-78mc
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Malicious file delivered over network, victim must scan-then-load (UI:R); execWrapper yields arbitrary code execution so C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:02 vuln.today
Analysis Generated
Jun 23, 2026 - 13:02 vuln.today

DescriptionCVE.org

picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via pickle.load().

AnalysisAI

Detection bypass in picklescan before 0.0.28 allows attackers to embed malicious torch.jit.unsupported_tensor_ops.execWrapper calls in pickle files that evade the scanner and execute arbitrary code when later loaded via pickle.load(). Publicly available exploit code exists in the GHSA advisory, and the flaw directly undermines the security guarantee picklescan is meant to provide for PyTorch model files. No CISA KEV listing and no EPSS data are provided, but the scanner bypass nature makes this a meaningful supply-chain risk for ML pipelines.

Technical ContextAI

picklescan is a Python library used to inspect pickle files - including PyTorch model artifacts that wrap pickle internally - for known-dangerous import/call patterns before they are deserialized. The root cause is CWE-502 (Deserialization of Untrusted Data) expressed as an incomplete denylist: picklescan did not recognize torch.jit.unsupported_tensor_ops.execWrapper as a dangerous callable, even though it accepts a code string plus globals/locals dicts and executes them, providing the same primitive as eval/exec. Affected CPE is cpe:2.3:a:picklescan:picklescan:* for all versions up to and including 0.0.27, with the gap closed by adding execWrapper to the unsafe-globals list in PR #47 (commit 7f994d6).

RemediationAI

Vendor-released patch: picklescan 0.0.28 - upgrade with 'pip install --upgrade picklescan>=0.0.28' across all environments that scan untrusted pickle or PyTorch artifacts, and rebuild any container images that pin earlier versions. The underlying fix is PR https://github.com/mmaitre314/picklescan/pull/47 (commit 7f994d62084fe43f1cffdef2f9bae6923344ef53), and the authoritative advisory is https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vr7h-p6mm-wpmh with corroborating analysis at https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-torch-jit-unsupported-tensor-ops-execwrapper. Until the upgrade is rolled out, compensating controls include refusing to pickle.load any file whose provenance is not cryptographically verified, switching model serialization to safetensors where feasible (trade-off: requires model conversion and may not cover every PyTorch artifact), and sandboxing model-loading workers in a non-privileged container with no network egress so that a successful execWrapper payload cannot reach internal services; note that adding a second scanner such as ModelScan is helpful but does not guarantee coverage of this specific gadget.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71370 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy