Skip to main content

picklescan CVE-2025-71371

| EUVDEUVD-2025-210391 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-30 VulnCheck GHSA-h96j-r2w4-m289
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote payload but exploitation needs the victim to scan with a vulnerable picklescan and then load the file, so AC:H and UI:R; successful unpickling yields full RCE, hence C:H/I:H/A:H with PR:N.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:28 vuln.today

DescriptionCVE.org

picklescan before 0.0.29 fails to detect malicious pickle files using code.InteractiveInterpreter.runcode in reduce methods. Attackers can craft pickle payloads that bypass picklescan detection and execute arbitrary code when loaded via pickle.load().

AnalysisAI

Malicious-pickle detection bypass in picklescan before 0.0.29 lets attackers smuggle weaponized pickle files past the scanner by abusing code.InteractiveInterpreter.runcode inside a __reduce__ method, leading to arbitrary code execution when the file is later deserialized with pickle.load(). picklescan is a security scanner specifically meant to flag dangerous pickles (e.g. in ML model files), so a gap in its blocklist directly defeats the control users rely on. Reported by VulnCheck with an assigned CVSS 4.0 score of 7.6; no public exploit and no CISA KEV listing identified at time of analysis.

Technical ContextAI

Python's pickle format is inherently unsafe: during unpickling, an object's __reduce__ method can return a callable and arguments that pickle will execute, which is the canonical CWE-502 (Deserialization of Untrusted Data) vector. picklescan defends against this by statically inspecting pickle opcodes/imports and blocklisting known dangerous callables before a file is trusted. The flaw is that its blocklist did not account for code.InteractiveInterpreter.runcode (from Python's standard code module), which can execute arbitrary Python passed to it. By routing payload execution through this unrecognized callable in a crafted __reduce__, an attacker produces a pickle that picklescan rates as clean but that runs code on load. The single affected component per CPE is cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: 0.0.29 - upgrade picklescan to 0.0.29 or later (e.g. pip install --upgrade 'picklescan>=0.0.29') so the scanner recognizes the code.InteractiveInterpreter.runcode vector. Until upgraded, do not treat a clean picklescan result from an older version as authoritative; compensating controls include refusing to load pickles from untrusted sources, preferring safe serialization formats such as safetensors for ML model weights (trade-off: requires model re-export/conversion), and unpickling only inside a sandboxed/least-privilege process with no network or sensitive filesystem access (trade-off: added operational complexity). Review the GitHub advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cj3c-v495-4xqh and the VulnCheck advisory at https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-code-interactiveinterpreter-detection-bypass for authoritative guidance.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy