Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, no attacker auth (PR:N), but requires the victim to use picklescan and then load the file (AC:H/UI:R); successful unpickling yields full code execution, so C/I/A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.30 fails to detect cProfile.run function calls in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files with cProfile.run payloads that bypass picklescan detection and achieve code execution upon deserialization.
AnalysisAI
Scanner-detection bypass in picklescan before 0.0.30 lets a crafted pickle file evade malicious-code detection and execute arbitrary code on deserialization. The tool - a Python security scanner used to vet untrusted pickle/ML model files - fails to flag cProfile.run calls embedded in a pickle object's __reduce__ method, so a payload routed through cProfile.run passes the scan and then runs when the file is loaded. Reported by VulnCheck (CWE-502); no public exploit identified at time of analysis and it is not in CISA KEV.
Technical ContextAI
picklescan is a defensive Python library that statically inspects pickle streams (and ML model archives) for known dangerous opcodes and callable references before a victim deserializes them, acting as a guardrail in ML supply chains such as model-hub downloads. The flaw is a CWE-502 (Deserialization of Untrusted Data) issue manifesting as an allow-list/detection gap: Python's pickle __reduce__ protocol can name an arbitrary callable to invoke at load time, and picklescan's blocklist of dangerous callables did not include cProfile.run, which itself executes a passed code string/statement. An attacker therefore wraps the real payload so the only top-level callable seen is cProfile.run, which the scanner treats as benign; on pickle.load, cProfile.run executes the attacker-supplied code. The CPE cpe:2.3:a:picklescan:picklescan:* confirms the affected component is the picklescan package itself, not the downstream application embedding it.
RemediationAI
Vendor-released patch: upgrade picklescan to version 0.0.30 or later, which adds detection for cProfile.run in reduce methods (advisory: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-49gj-c84q-6qm9). Pin the fixed version in requirements/lockfiles and rebuild any container images or CI jobs that vendor an older copy. Until you can upgrade, do not treat a clean picklescan result as sufficient assurance: avoid pickle.load on untrusted model files entirely, prefer non-executable formats such as safetensors where possible, and load any unavoidable pickle content in a sandboxed/network-isolated, least-privilege environment so that code execution is contained - the trade-off is added operational friction and slower model onboarding. Where feasible, layer a second scanner (e.g., another deserialization analyzer) so a single tool's blind spot is not the only control.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210389
GHSA-r9rj-xr26-286v