Skip to main content

picklescan CVE-2025-71376

| EUVDEUVD-2025-210308 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-23 VulnCheck GHSA-gq8p-2329-gh3x
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered pickle with low complexity, no attacker auth, but requires victim to load the file (UI:R); full RCE yields C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:03 vuln.today
Analysis Generated
Jun 23, 2026 - 13:03 vuln.today

DescriptionCVE.org

picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims.

AnalysisAI

Detection bypass in picklescan versions prior to 0.0.29 allows attackers to smuggle arbitrary code execution payloads through malicious pickle files by leveraging idlelib.autocomplete.AutoComplete.fetch_completions inside the __reduce__ method. Because the scanner does not flag this built-in Python function as dangerous, victims who rely on picklescan to vet PyTorch models or other pickle artifacts will load attacker-controlled code under pickle.load(). Publicly available exploit code exists (in the GHSA advisory), though no active in-the-wild exploitation has been reported.

Technical ContextAI

picklescan is a Python security utility (pip/picklescan) used to statically scan pickle files for dangerous opcodes and callables before deserialization, frequently applied to PyTorch model weights distributed via Hugging Face and similar registries. The root cause is a CWE-502 deserialization weakness manifesting as an incomplete denylist: the scanner's catalog of dangerous callables omits idlelib.autocomplete.AutoComplete.fetch_completions, a function in Python's standard library IDLE module that internally evaluates supplied expressions during tab-completion logic. By returning this callable from __reduce__, an attacker turns pickle deserialization into expression evaluation (e.g., __import__('os').system(...)) without tripping any of picklescan's detectors. The CPE cpe:2.3:a:picklescan:picklescan:*:*:* covers all versions before the 0.0.29 fix.

RemediationAI

Upgrade picklescan to 0.0.29 or later (pip install --upgrade 'picklescan>=0.0.29'), which incorporates the upstream fix in commit aecd11be98702caa9ba9b12189d91ad596a36114 referenced from the GHSA at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7cq8-mj8x-j263. If immediate upgrade is not feasible, treat picklescan output as advisory only and do not load untrusted pickle files based solely on a clean scan; preferred compensating controls include switching model distribution to safetensors where possible (eliminates pickle-based RCE entirely but requires re-saving models), executing pickle.load only inside a sandboxed/ephemeral process with no network or filesystem write access (adds operational overhead and may break model loaders that expect local cache), and explicitly blocking idlelib.* imports via a custom Unpickler.find_class allowlist (most reliable short-term mitigation but must be paired with a broader allowlist policy to be effective).

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2025-71376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy