Skip to main content

picklescan EUVD-2025-210291

| CVE-2025-71348 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-21 VulnCheck GHSA-qvp4-q2p5-22gg
Deserialization RCE Picklescan
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Pickle is delivered over the network (AV:N), no auth needed (PR:N), but the victim must load the file (UI:R); successful deserialization yields full code execution, so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:00 vuln.today
Analysis Generated
Jun 22, 2026 - 06:00 vuln.today
Patch available
Jun 21, 2026 - 15:31 EUVD

DescriptionCVE.org

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply chain attacks.

AnalysisAI

Detection bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code through pickle files by abusing torch.utils._config_module.load_config inside __reduce__ methods, defeating the library's malicious-pickle scanning and enabling remote code execution when the file is later loaded. Publicly available exploit code exists (GHSA-vv6j-3g6g-2pvj includes a working PoC), and the flaw is significant for any ML pipeline that trusts picklescan to vet third-party PyTorch model files. No CISA KEV listing at time of analysis, so exploitation status is limited to public POC rather than confirmed in-the-wild use.

Technical ContextAI

picklescan is a Python library that statically inspects pickle streams for dangerous opcodes and known-bad callables before pickle.load is invoked, and is widely used as a safety gate in front of PyTorch model loading. The root cause is CWE-502 (Deserialization of Untrusted Data): the scanner's allow/deny logic did not recognize torch.utils._config_module.load_config as a dangerous import, so a __reduce__ tuple that names this PyTorch internal as the callable passes scanning while still triggering arbitrary execution at deserialization time. ConfigModule.load_config internally evaluates the provided configuration payload, which an attacker uses as a secondary stage to invoke os.system or any other callable. Per the CPE cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* every release up to and including 0.0.27 is affected.

RemediationAI

Vendor-released patch: 0.0.28 - upgrade with 'pip install --upgrade picklescan>=0.0.28' as the primary fix, per GHSA-vv6j-3g6g-2pvj and the upstream PR https://github.com/mmaitre314/picklescan/pull/47 and commit https://github.com/mmaitre314/picklescan/commit/7f994d62084fe43f1cffdef2f9bae6923344ef53. Where immediate upgrade is not possible, add torch.utils._config_module.load_config and the broader torch.utils._config_module namespace to any local denylist used alongside picklescan, or refuse to deserialize PyTorch checkpoints that arrive as raw pickle and switch consumers to the safetensors format (trade-off: requires re-exporting models and may break code paths that rely on Python objects inside the checkpoint). As a defensive control, run pickle.load only inside a sandboxed, network-egress-restricted worker so that even a successful bypass cannot reach internal systems; this adds operational complexity but contains supply-chain payloads.

More from same product – last 7 days

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

Share

EUVD-2025-210291 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy