Skip to main content

picklescan EUVDEUVD-2025-210425

| CVE-2025-71375 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-04 VulnCheck GHSA-xgj3-g5r2-m8rf
7.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Attacker-supplied file is network-delivered (AV:N) and simple to craft (AC:L), but code runs only when the victim scans and loads it (UI:R); full C/I compromise via code execution, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 04, 2026 - 03:01 EUVD
Analysis Generated
Jul 04, 2026 - 02:25 vuln.today

DescriptionCVE.org

picklescan before 0.0.34 fails to detect the _operator.methodcaller built-in function when scanning pickle files for malicious code. Attackers can craft malicious pickle payloads using _operator.methodcaller that evade detection and execute arbitrary code when loaded by pickle.load().

AnalysisAI

Malicious code execution via scanner bypass affects picklescan before 0.0.34, a security tool used to vet pickle files for unsafe deserialization before loading ML model artifacts. The scanner fails to flag the _operator.methodcaller built-in, so an attacker can craft a pickle that passes picklescan's malware check yet executes arbitrary code the moment a victim calls pickle.load(). No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; the fix landed in version 0.0.34.

Technical ContextAI

picklescan is a Python library and CLI that statically inspects pickle opcodes to detect dangerous global/reduce references before deserialization, commonly deployed in ML supply-chain pipelines (e.g., scanning Hugging Face model files). The root cause is CWE-502 (Deserialization of Untrusted Data) compounded by an incomplete denylist: picklescan enumerates known-dangerous callables but omitted _operator.methodcaller from its unsafe-globals set. methodcaller returns a callable that invokes an arbitrary named method on its argument, which pickle's REDUCE machinery can chain into code execution. Because the affected component is the scanner itself (cpe:2.3:a:picklescan:picklescan:*), every version prior to 0.0.34 provides a false sense of safety rather than a direct vulnerability in a runtime service.

RemediationAI

Vendor-released patch: 0.0.34 - upgrade picklescan to 0.0.34 or later (e.g., pip install --upgrade 'picklescan>=0.0.34') so the scanner recognizes _operator.methodcaller as an unsafe global, per the GHSA-955r-x9j8-7rhh advisory. Because a scanner bypass is only exploitable if you actually load the file, the strongest compensating control is to avoid pickle for untrusted inputs entirely: prefer safetensors or another non-executable serialization format for ML weights, which eliminates the deserialization class rather than patching one bypass (trade-off: requires converting/re-exporting existing model artifacts). Where pickle is unavoidable, load untrusted files only inside a sandboxed, network-isolated, least-privilege process and treat any picklescan 'clean' result on a pre-0.0.34 version as untrustworthy; do not rely on scanning alone as your trust boundary until the upgrade is applied.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

EUVD-2025-210425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy