Skip to main content

Picklescan EUVDEUVD-2025-210388

| CVE-2025-71355 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-06-30 VulnCheck GHSA-7jm4-f7vj-6pcc
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-delivered but requires the victim to load the pickle under a Picklescan-gated flow (UI:R, AC:H for that attack requirement); successful loading yields full code execution, so C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:29 vuln.today

DescriptionCVE.org

Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and execute arbitrary code during deserialization. Attackers can craft malicious pickle files using numpy.testing._private.utils.runstring within the reduce method to import dangerous libraries like os and execute arbitrary OS commands when the pickle file is loaded.

AnalysisAI

Static-analysis bypass in Picklescan before 0.0.25 lets attackers smuggle malicious pickle files past its malware scanner, leading to arbitrary OS command execution when a victim deserializes the file. Picklescan's denylist fails to flag unsafe Numpy globals, so a reduce method invoking numpy.testing._private.utils.runstring can import os and run commands while being reported as safe. No public exploit has been identified at time of analysis, though VulnCheck's advisory documents the exact gadget; the issue is not in CISA KEV. CVSS 4.0 base score is 7.6.

Technical ContextAI

Picklescan is a Python security tool that statically inspects pickle (.pkl) files - a common serialization format for ML model weights - to detect dangerous globals before deserialization, and it is integrated into ML supply-chain flows such as Hugging Face model scanning. The vulnerability is a CWE-184 (Incomplete List of Disallowed Inputs) failure: Picklescan maintains a denylist of unsafe callables but omits certain Numpy functions, notably numpy.testing._private.utils.runstring. Because Python's pickle protocol executes the callable named in an object's __reduce__ method during loading, an attacker who references a missed Numpy global can execute arbitrary Python (and via os, arbitrary OS commands) while Picklescan returns a clean verdict. The single affected component is cpe:2.3:a:picklescan:picklescan, with all versions before 0.0.25 affected.

RemediationAI

Vendor-released patch: 0.0.25 - upgrade Picklescan to 0.0.25 or later (e.g. pip install --upgrade 'picklescan>=0.0.25') so the missed Numpy globals are added to the denylist, per GHSA-fj43-3qmq-673f. Because this is a scanner-bypass, do not treat Picklescan as a sole trust boundary: where feasible, load untrusted pickles only under restricted execution (sandboxed/containerized worker with no outbound network and least-privilege OS user) so that a residual bypass cannot run useful commands, and prefer safer serialization formats such as safetensors for model weights, which removes pickle code-execution risk entirely (trade-off: requires producers to publish in that format). Restricting model ingestion to vetted, signed sources reduces the chance of a malicious pickle reaching the loader in the first place, at the cost of pipeline flexibility.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy