Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71320

CVE-2025-71320: picklescan RCE Vulnerability

CVE-2025-71320 is a remote code execution flaw in picklescan before version 0.0.33 that allows attackers to bypass security checks via malicious pickle files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71320 Overview

CVE-2025-71320 is a critical security flaw in picklescan, a Python library used to scan pickle files for malicious content before deserialization. Versions prior to 0.0.33 ship with an incomplete deny-list that fails to block the pydoc.locate and operator.methodcaller functions. Attackers can craft malicious pickle files that invoke these unblocked functions to achieve arbitrary code execution when the pickle is deserialized. The flaw is categorized under [CWE-184] (Incomplete List of Disallowed Inputs) and affects machine learning pipelines that rely on picklescan to vet untrusted model files.

Critical Impact

Remote attackers can bypass picklescan security checks and execute arbitrary code on systems that deserialize attacker-supplied pickle files, including ML model loaders that trust picklescan verdicts.

Affected Products

  • picklescan versions prior to 0.0.33
  • Python applications that depend on picklescan for pickle validation
  • Machine learning workflows that scan third-party model files before loading

Discovery Timeline

  • 2026-06-17 - CVE-2025-71320 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-71320

Vulnerability Analysis

picklescan enforces security by maintaining a deny-list of Python callables that are known to be dangerous when invoked during pickle deserialization. The library inspects pickle opcode streams and rejects files referencing entries on that list. The deny-list in versions before 0.0.33 omits two functions that are sufficient for arbitrary code execution: pydoc.locate and operator.methodcaller.

pydoc.locate resolves a dotted name into a Python object, which means it can return references to callables such as os.system or subprocess.Popen from a single string argument. operator.methodcaller constructs a callable that invokes a named method on its argument, providing another path to reach dangerous methods on imported objects. Pickle's REDUCE opcode then calls these resolved functions with attacker-controlled arguments during pickle.loads.

Because picklescan reports the file as safe, downstream tooling proceeds with deserialization and triggers code execution. The vulnerability undermines the trust boundary that ML platforms place on scanned model files.

Root Cause

The root cause is an incomplete blocklist [CWE-184]. The library enumerates known-bad symbols rather than enforcing a strict allow-list of permitted callables, so any dangerous function not explicitly listed passes inspection.

Attack Vector

An attacker hosts a malicious .pkl or .pt file on a model registry, dataset hub, or any network-reachable location. A victim downloads the file, runs picklescan to verify it, and receives a clean verdict. When the victim's application calls pickle.load or torch.load, the embedded reducer invokes pydoc.locate('os.system') or operator.methodcaller with attacker-controlled arguments, executing shell commands in the victim's process context. No authentication or user interaction beyond loading the file is required.

Technical details and proof-of-concept payloads are documented in the GitHub Security Advisory GHSA-84r2-jw7c-4r5q and the VulnCheck Remote Code Execution Advisory.

Detection Methods for CVE-2025-71320

Indicators of Compromise

  • Pickle files containing references to pydoc.locate or operator.methodcaller in their opcode stream
  • picklescan invocations returning clean verdicts on files that subsequently spawn shell or interpreter processes
  • Python processes that load .pkl, .pt, or .bin files and then launch sh, bash, cmd.exe, or powershell.exe child processes
  • Outbound network connections initiated by Python ML workloads shortly after model loading

Detection Strategies

  • Inventory all installations of picklescan and compare versions against 0.0.33 or later using pip show picklescan.
  • Statically scan pickle files for GLOBAL opcodes referencing pydoc.locate, operator.methodcaller, os.system, subprocess, or builtins.eval.
  • Hook pickle.Unpickler.find_class in instrumented environments to log every module and name resolved during deserialization.
  • Correlate model file ingestion events with subsequent process and network telemetry to identify post-deserialization execution.

Monitoring Recommendations

  • Alert on Python interpreters spawning shell processes within seconds of opening pickle or model files.
  • Monitor package registries and CI pipelines for downgrades that reintroduce picklescan versions below 0.0.33.
  • Log every model artifact pulled from external hubs such as Hugging Face, including hash and source URL.

How to Mitigate CVE-2025-71320

Immediate Actions Required

  • Upgrade picklescan to version 0.0.33 or later in every environment, including developer workstations, CI runners, and production model servers.
  • Treat any pickle file previously cleared by a vulnerable picklescan version as untrusted and rescan it after upgrading.
  • Quarantine ML model artifacts ingested from third-party sources until they are re-validated with the patched library.
  • Restrict outbound network access from processes that deserialize untrusted pickle data.

Patch Information

The maintainers released picklescan0.0.33, which extends the deny-list to cover pydoc.locate, operator.methodcaller, and related callables. Refer to the GitHub Security Advisory for the full set of changes and additional blocked symbols.

Workarounds

  • Replace pickle-based model formats with safer alternatives such as safetensors for PyTorch weights wherever possible.
  • Run model deserialization inside sandboxed containers with no outbound network access and minimal filesystem privileges.
  • Implement a strict allow-list Unpickler subclass that overrides find_class and rejects any module or name not on an approved list.
bash
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.33'

# Verify the installed version
pip show picklescan | grep -i version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.