Skip to main content

picklescan EUVDEUVD-2025-210386

| CVE-2025-71350 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-30 VulnCheck GHSA-px3v-38wh-q34v
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered malicious file requires the victim to scan-and-load it (UI:R) with no auth (PR:N); successful unpickling yields arbitrary command execution, so full C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:30 vuln.today

DescriptionCVE.org

picklescan before 0.0.28 fails to detect malicious pickle files using torch.utils.collect_env.run function in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims.

AnalysisAI

Malicious-pickle detection bypass in picklescan before 0.0.28 lets attackers smuggle remote-code-execution payloads past the scanner by hiding them in a pickle reduce method that invokes torch.utils.collect_env.run, which picklescan's blocklist failed to flag. Because picklescan is the gatekeeper many ML pipelines rely on to vet untrusted models (notably scanning Hugging Face artifacts), a 'clean' verdict on a weaponized file directly leads to command execution when the victim deserializes it. Reported by VulnCheck with a fix in 0.0.28; no public exploit identified at time of analysis and not listed in CISA KEV.

Technical ContextAI

picklescan is a Python tool that statically inspects Python pickle files for dangerous opcodes and global references before they are loaded, acting as a safety check for ML model distribution formats (e.g., PyTorch .bin/.pt files, which embed pickles). The root cause is CWE-502 (Deserialization of Untrusted Data): Python's pickle executes a __reduce__/REDUCE callable on load, and picklescan maintains an allow/deny list of callables it considers dangerous. The torch.utils.collect_env.run helper - a thin wrapper that shells out to run system commands for environment diagnostics - was not on picklescan's dangerous-callable list, so a reduce method pointing at it slipped through scanning while still providing arbitrary command execution at unpickle time. The CPE cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* confirms the affected component is the picklescan package itself, not PyTorch; PyTorch is merely the source of the abused gadget function.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.28 or later, which adds torch.utils.collect_env.run to the detected dangerous-callable set; pin this minimum in requirements/CI so older versions cannot be reintroduced (see https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f745-w6jp-hpxx). Because this is a scanner-evasion bug rather than a flaw in the model loader, do not treat a picklescan 'clean' result from a pre-0.0.28 version as trustworthy. Until upgraded, compensating controls: prefer loading models in safetensors format instead of pickle (eliminates arbitrary-callable execution entirely, but requires re-exporting models); load untrusted pickles only with weights_only=True on supported PyTorch versions (blocks arbitrary global execution, though it rejects checkpoints that legitimately need non-tensor objects); and sandbox deserialization in a network-isolated, least-privilege container so a successful bypass cannot reach internal systems (adds operational overhead). Avoid relying on a second signature-based scanner alone, since the same allowlist-gap class can recur.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy