Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote delivery but no direct trigger (AV:N), victim must load a crafted pickle (UI:R) and attacker must craft a bypass (AC:H); no auth needed (PR:N); code execution yields full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
picklescan before 0.0.30 fails to detect the doctest.debug_script function when analyzing pickle files, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files embedding doctest.debug_script calls that bypass picklescan detection and execute arbitrary commands upon pickle.load invocation.
AnalysisAI
Detection bypass leading to arbitrary code execution in picklescan before 0.0.30 allows attackers to smuggle malicious payloads past the scanner by abusing the doctest.debug_script function, which picklescan's analyzer does not recognize as dangerous. Because picklescan is used to vet untrusted pickle/ML model files before loading, a crafted pickle marked 'safe' will execute attacker commands the moment pickle.load is invoked. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV, but the technique is well-understood and was disclosed by VulnCheck.
Technical ContextAI
The flaw lies in picklescan, a Python tool that statically inspects pickle opcodes to flag dangerous global references (e.g., os.system, builtins.exec) before a model file is deserialized. Pickle is an inherently unsafe serialization format because the REDUCE/GLOBAL opcodes can invoke arbitrary callables during unpickling - the classic CWE-502 (Deserialization of Untrusted Data) class. picklescan maintains a denylist of unsafe imports, but its list omitted doctest.debug_script, a standard-library function that can be coerced into executing arbitrary code. An attacker references this overlooked global, so the scanner returns a clean verdict while the underlying pickle remains weaponized. The affected CPE is cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* for all versions prior to 0.0.30.
RemediationAI
Vendor-released patch: upgrade picklescan to 0.0.30 or later, which adds detection for the doctest.debug_script vector - see the GitHub Security Advisory GHSA-fqq6-7vqf-w3fg (https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fqq6-7vqf-w3fg) and the VulnCheck advisory (https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-undetected-doctest-debug-script). Because picklescan is a denylist-based scanner that can never be exhaustive, do not treat a clean scan as proof of safety: prefer loading models in the safetensors format instead of pickle where possible (eliminates the deserialization risk entirely, though it requires converting/re-saving models), and restrict pickle.load to trusted, signed sources. If you must load untrusted pickles, deserialize inside a sandboxed, network-isolated, least-privilege container so that any code execution is contained (trade-off: added pipeline complexity and runtime overhead). Pin the picklescan dependency version in CI so the patched release is enforced across all build agents.
More in Picklescan
View allAn Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles
The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210390
GHSA-354x-p5rw-9f85