Skip to main content

picklescan EUVDEUVD-2025-210328

| CVE-2025-71361 HIGH
Eval Injection (CWE-95)
2026-06-24 VulnCheck
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered malicious file with low complexity and no auth, but requires the victim to scan-then-load (UI:R); full code execution gives C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 12:16 vuln.today
Analysis Generated
Jun 24, 2026 - 12:16 vuln.today

DescriptionCVE.org

picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().

AnalysisAI

Detection bypass in picklescan before 0.0.29 allows malicious pickle files to evade scanning by abusing the undetected idlelib.calltip.Calltip.fetch_tip function, enabling arbitrary code execution when the file is later loaded via pickle.load(). Affects ML supply chains relying on picklescan to vet PyTorch models; publicly available exploit code exists in the GHSA advisory, but no public exploit identified in active campaigns at time of analysis.

Technical ContextAI

picklescan is a Python library used to statically inspect pickle files (commonly distributed inside PyTorch/Hugging Face model artifacts) for invocations of dangerous callables before they are deserialized. The flaw is a classic CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) gap in picklescan's blocklist: idlelib.calltip.Calltip.fetch_tip internally calls get_entity(), which passes its argument to eval(). Because this function lives in Python's standard idlelib package, it is reachable on any default Python installation, yet was not enumerated in picklescan's dangerous-function list prior to 0.0.29 (CPE cpe:2.3:a:picklescan:picklescan:*).

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.29 or later (pip install --upgrade 'picklescan>=0.0.29'); the fix corresponds to upstream commit aecd11be98702caa9ba9b12189d91ad596a36114, which extends the dangerous-globals list to cover idlelib.calltip.Calltip.fetch_tip. Until the upgrade is rolled out across all scanning hosts, treat any picklescan verdict from older versions as untrusted and refuse to pickle.load() files from untrusted sources; for organizations that cannot upgrade immediately, a workable compensating control is to load model weights through safer formats such as safetensors (which removes the pickle attack surface entirely) or to run pickle.load only inside a hardened sandbox (gVisor, Firejail, ephemeral container with no network/secrets), accepting the latency and tooling cost. Consult the GHSA advisory (https://github.com/mmaitre314/picklescan/security/advisories/GHSA-8r4j-24qv-fmq9) for the authoritative fix details.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy