Skip to main content

picklescan EUVDEUVD-2025-210292

| CVE-2025-71351 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-06-21 VulnCheck GHSA-fh2f-24rh-r2vq
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered malicious pickle (AV:N), no privileges (PR:N), but the victim must run picklescan and then pickle.load the file (UI:R); successful exec gives full code execution, so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:01 vuln.today
Analysis Generated
Jun 22, 2026 - 06:01 vuln.today
Patch available
Jun 21, 2026 - 15:31 EUVD

DescriptionCVE.org

picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.

AnalysisAI

Detection bypass in picklescan versions before 0.0.25 allows attackers to embed remote code execution payloads in pickle files by abusing the built-in timeit.timeit() function inside a __reduce__ method, which is not on the unsafe-globals blacklist. Any organization using picklescan to vet PyTorch or other pickle-based model files is affected, and a working PoC is publicly documented in the GHSA advisory (no public exploit identified at time of analysis as a weaponized tool, but POC code is published).

Technical ContextAI

picklescan is a Python static-analysis tool that inspects pickle files for dangerous opcodes and globals before pickle.load() is called, typically to defend ML pipelines that load PyTorch model weights. The underlying weakness is CWE-184 (Incomplete List of Disallowed Inputs): the scanner enumerates known-bad modules such as os, subprocess, and posix, but timeit - a standard-library module whose timeit() function takes arbitrary Python source as its first argument and exec()s it - was absent from the blacklist. Because pickle's __reduce__ mechanism lets the deserializer call any importable callable with attacker-supplied arguments, returning (timeit.timeit, ('', 'import os; os.system(...)')) lets the attacker execute arbitrary code at pickle.load() time while picklescan reports zero dangerous globals. The affected component is cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* across all versions below 0.0.25.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.25 or later (pip install --upgrade picklescan>=0.0.25), which adds timeit to the unsafe-globals blacklist; the upstream fix is tracked in https://github.com/mmaitre314/picklescan/pull/40 and announced in GHSA-v7x6-rv5q-mhwc. Where immediate upgrade is impossible, extend picklescan's unsafe-globals configuration to explicitly block timeit (and audit for other stdlib modules that exec/eval arbitrary strings such as pdb, code, codeop, runpy) - the trade-off is maintenance burden as new bypasses emerge. As compensating controls, refuse to pickle.load() untrusted artefacts and prefer safetensors for PyTorch weights, or load suspect pickles inside a network-egress-blocked, filesystem-isolated sandbox (container, gVisor, or seccomp) so that even successful RCE cannot reach the internet or production data; the trade-off is added pipeline complexity and latency. Do not rely on any single static scanner as the sole defence - treat picklescan as one layer.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy