Skip to main content

picklescan EUVDEUVD-2025-210390

| CVE-2025-71368 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-30 VulnCheck GHSA-354x-p5rw-9f85
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote delivery but no direct trigger (AV:N), victim must load a crafted pickle (UI:R) and attacker must craft a bypass (AC:H); no auth needed (PR:N); code execution yields full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:28 vuln.today

DescriptionCVE.org

picklescan before 0.0.30 fails to detect the doctest.debug_script function when analyzing pickle files, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files embedding doctest.debug_script calls that bypass picklescan detection and execute arbitrary commands upon pickle.load invocation.

AnalysisAI

Detection bypass leading to arbitrary code execution in picklescan before 0.0.30 allows attackers to smuggle malicious payloads past the scanner by abusing the doctest.debug_script function, which picklescan's analyzer does not recognize as dangerous. Because picklescan is used to vet untrusted pickle/ML model files before loading, a crafted pickle marked 'safe' will execute attacker commands the moment pickle.load is invoked. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV, but the technique is well-understood and was disclosed by VulnCheck.

Technical ContextAI

The flaw lies in picklescan, a Python tool that statically inspects pickle opcodes to flag dangerous global references (e.g., os.system, builtins.exec) before a model file is deserialized. Pickle is an inherently unsafe serialization format because the REDUCE/GLOBAL opcodes can invoke arbitrary callables during unpickling - the classic CWE-502 (Deserialization of Untrusted Data) class. picklescan maintains a denylist of unsafe imports, but its list omitted doctest.debug_script, a standard-library function that can be coerced into executing arbitrary code. An attacker references this overlooked global, so the scanner returns a clean verdict while the underlying pickle remains weaponized. The affected CPE is cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* for all versions prior to 0.0.30.

RemediationAI

Vendor-released patch: upgrade picklescan to 0.0.30 or later, which adds detection for the doctest.debug_script vector - see the GitHub Security Advisory GHSA-fqq6-7vqf-w3fg (https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fqq6-7vqf-w3fg) and the VulnCheck advisory (https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-undetected-doctest-debug-script). Because picklescan is a denylist-based scanner that can never be exhaustive, do not treat a clean scan as proof of safety: prefer loading models in the safetensors format instead of pickle where possible (eliminates the deserialization risk entirely, though it requires converting/re-saving models), and restrict pickle.load to trusted, signed sources. If you must load untrusted pickles, deserialize inside a sandboxed, network-isolated, least-privilege container so that any code execution is contained (trade-off: added pipeline complexity and runtime overhead). Pin the picklescan dependency version in CI so the patched release is enforced across all build agents.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy