Skip to main content

picklescan EUVDEUVD-2025-210389

| CVE-2025-71363 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-30 VulnCheck GHSA-r9rj-xr26-286v
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, no attacker auth (PR:N), but requires the victim to use picklescan and then load the file (AC:H/UI:R); successful unpickling yields full code execution, so C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:29 vuln.today

DescriptionCVE.org

picklescan before 0.0.30 fails to detect cProfile.run function calls in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files with cProfile.run payloads that bypass picklescan detection and achieve code execution upon deserialization.

AnalysisAI

Scanner-detection bypass in picklescan before 0.0.30 lets a crafted pickle file evade malicious-code detection and execute arbitrary code on deserialization. The tool - a Python security scanner used to vet untrusted pickle/ML model files - fails to flag cProfile.run calls embedded in a pickle object's __reduce__ method, so a payload routed through cProfile.run passes the scan and then runs when the file is loaded. Reported by VulnCheck (CWE-502); no public exploit identified at time of analysis and it is not in CISA KEV.

Technical ContextAI

picklescan is a defensive Python library that statically inspects pickle streams (and ML model archives) for known dangerous opcodes and callable references before a victim deserializes them, acting as a guardrail in ML supply chains such as model-hub downloads. The flaw is a CWE-502 (Deserialization of Untrusted Data) issue manifesting as an allow-list/detection gap: Python's pickle __reduce__ protocol can name an arbitrary callable to invoke at load time, and picklescan's blocklist of dangerous callables did not include cProfile.run, which itself executes a passed code string/statement. An attacker therefore wraps the real payload so the only top-level callable seen is cProfile.run, which the scanner treats as benign; on pickle.load, cProfile.run executes the attacker-supplied code. The CPE cpe:2.3:a:picklescan:picklescan:* confirms the affected component is the picklescan package itself, not the downstream application embedding it.

RemediationAI

Vendor-released patch: upgrade picklescan to version 0.0.30 or later, which adds detection for cProfile.run in reduce methods (advisory: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-49gj-c84q-6qm9). Pin the fixed version in requirements/lockfiles and rebuild any container images or CI jobs that vendor an older copy. Until you can upgrade, do not treat a clean picklescan result as sufficient assurance: avoid pickle.load on untrusted model files entirely, prefer non-executable formats such as safetensors where possible, and load any unavoidable pickle content in a sandboxed/network-isolated, least-privilege environment so that code execution is contained - the trade-off is added operational friction and slower model onboarding. Where feasible, layer a second scanner (e.g., another deserialization analyzer) so a single tool's blind spot is not the only control.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy