Skip to main content

picklescan EUVD-2025-210293

| CVE-2025-71357 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-21 VulnCheck GHSA-8mc5-7w9m-fqv6
Deserialization Picklescan
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Malicious pickle is delivered over the network (AV:N), exploitation is reliable once crafted (AC:L), no auth to the victim (PR:N), but the victim must choose to load the file (UI:R); code execution yields high C/I, A:N since the payload is not inherently DoS.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:02 vuln.today
Analysis Generated
Jun 22, 2026 - 06:02 vuln.today
Patch available
Jun 21, 2026 - 15:31 EUVD

DescriptionCVE.org

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims.

AnalysisAI

Detection bypass in picklescan before 0.0.30 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing idlelib.pyshell.ModifiedInterpreter.runcommand inside a __reduce__ method, which the scanner fails to flag as dangerous. Any victim who relies on picklescan to vet PyTorch models or other pickle artifacts and then calls pickle.load() will execute attacker-supplied commands. Publicly available exploit code exists (PoC published in the GHSA advisory), no CISA KEV listing, and the issue is fixed in version 0.0.30.

Technical ContextAI

picklescan is a Python static scanner designed to enumerate the callables referenced by pickle opcodes and flag known-dangerous ones (os.system, subprocess.*, eval, exec, etc.) before a user calls pickle.load(). It maintains an allow/deny list of module.function names. CWE-502 (Deserialization of Untrusted Data) is the underlying class: pickle's __reduce__ protocol lets any object specify an arbitrary callable plus arguments to be invoked at load time. The bypass leverages idlelib.pyshell.ModifiedInterpreter.runcommand - a method shipped inside CPython's standard idlelib package - which ultimately executes a string of Python source. Because picklescan's denylist did not enumerate idlelib.pyshell.ModifiedInterpreter.runcommand, a __reduce__ returning (ModifiedInterpreter.runcommand, (fake_self, payload)) passed the scan while still executing __import__('os').system(...) on load. CPE coverage is limited to cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.30 or later (pip install -U picklescan>=0.0.30); the fix is commit 1931c2d04eaca8d20597705ff39cab78ba364e4b referenced from GHSA-j343-8v2j-ff7w (https://github.com/mmaitre314/picklescan/security/advisories/GHSA-j343-8v2j-ff7w). Until the upgrade is rolled out, treat picklescan output as advisory only and refuse to pickle.load() untrusted artifacts - prefer safer formats such as safetensors for model weights, which removes the deserialization sink entirely (trade-off: existing .pt/.bin/.pkl assets must be re-serialized). As an interim denylist supplement, block any pickle whose GLOBAL/STACK_GLOBAL opcodes reference the idlelib.* namespace, which has no legitimate use inside ML model files (trade-off: low false-positive risk, but does not address the next undiscovered gadget). For multi-tenant model registries, run loads inside a sandboxed, network-egress-restricted worker so an undetected gadget cannot reach attacker infrastructure (trade-off: added orchestration complexity).

More from same product – last 7 days

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

Share

EUVD-2025-210293 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy