Skip to main content

picklescan EUVDEUVD-2025-210419

| CVE-2025-71364 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-04 VulnCheck GHSA-cf85-jm34-89c3
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-delivered malicious file with no auth (PR:N), but requires the victim to scan and then load it (UI:R); code execution yields high C and I, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 04, 2026 - 03:01 EUVD
Analysis Generated
Jul 04, 2026 - 02:15 vuln.today

DescriptionCVE.org

picklescan before 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function that evade detection but execute arbitrary commands when loaded.

AnalysisAI

Detection bypass in picklescan before 0.0.30 lets a crafted pickle smuggle the asyncio.unix_events._UnixSubprocessTransport._start built-in past the scanner's malicious-opcode checks, so a model or pickle that picklescan reports as safe actually executes arbitrary OS commands when a victim deserializes it. Because picklescan is a security scanner used to vet untrusted ML artifacts (e.g. in AI model supply chains), this false-negative turns a trusted safety gate into a blind spot. No public exploit identified at time of analysis and it is not on CISA KEV, but the technique is fully described in the VulnCheck advisory.

Technical ContextAI

picklescan is a Python tool that statically inspects pickle files for dangerous reduce/GLOBAL references (functions like os.system, subprocess.Popen, eval) before a model is loaded, and is embedded in ML-artifact vetting workflows. The root cause is CWE-502 (Deserialization of Untrusted Data) combined with an incomplete denylist: Python pickle __reduce__ methods can name any importable callable, and picklescan's allow/deny logic did not flag asyncio.unix_events._UnixSubprocessTransport._start, an internal asyncio object that ultimately spawns a subprocess. An attacker embeds this built-in in a reduce tuple; the scanner sees an 'unknown/benign' global and passes the file, but the standard pickle/torch loader resolves and invokes it, launching an attacker-chosen process. The CPE cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:* confirms the vulnerable component is picklescan itself, not the downstream loader.

RemediationAI

Vendor-released patch: picklescan 0.0.30 - upgrade to 0.0.30 or later (pip install --upgrade 'picklescan>=0.0.30') so the scanner detects the asyncio.unix_events._UnixSubprocessTransport._start gadget; see the advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-q77w-mwjj-7mqx. Until upgraded, do not treat a picklescan 'clean' result on unpatched versions as authoritative: load untrusted pickles/models only inside a network-isolated, least-privilege sandbox or container (trade-off: added pipeline latency and infrastructure), prefer non-executable formats such as safetensors where possible (trade-off: not all models ship in that format), and layer a second scanner or restrict model ingestion to trusted, signed sources (trade-off: operational overhead and reduced model availability). Blocking or monitoring subprocess creation from Python model-loading workers can catch exploitation attempts that slip past an outdated scanner.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy