CVE-2025-71321 Overview
CVE-2025-71321 is an arbitrary file write vulnerability in picklescan versions before 0.0.33. The library scans Python pickle files for malicious content but maintains an incomplete blocklist of dangerous functions. Attackers can bypass the blocklist by using distutils.file_util.write_file inside a crafted pickle object. When the pickle is deserialized, the call writes attacker-controlled content to arbitrary filesystem paths. This enables overwriting of critical system files, leading to denial of service or remote code execution on hosts that load untrusted machine learning models or pickle artifacts. The flaw is classified under CWE-502: Deserialization of Untrusted Data.
Critical Impact
Attackers can overwrite arbitrary files on systems processing malicious pickle artifacts, enabling remote code execution and full host compromise.
Affected Products
- picklescan Python package, all versions before 0.0.33
- Machine learning pipelines that rely on picklescan to validate pickle or PyTorch model files
- Model registries and inference platforms ingesting third-party pickle artifacts
Discovery Timeline
- 2026-06-17 - CVE CVE-2025-71321 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-71321
Vulnerability Analysis
picklescan inspects Python pickle streams to flag dangerous opcodes and callables before deserialization. The library enforces a blocklist of high-risk modules and functions such as os.system or subprocess.Popen. The blocklist does not include distutils.file_util.write_file, a standard library helper that writes a list of strings to a target file path. Attackers craft a pickle that, when loaded, invokes write_file with a sensitive destination and attacker-supplied content. Because the scanner does not flag the call, downstream consumers treat the pickle as safe and proceed with deserialization.
Root Cause
The root cause is an incomplete deny list applied to pickle reducers. picklescan relies on enumeration of known dangerous callables rather than enforcing an allow list of safe operations. Any importable function with file system side effects that is not explicitly listed evades detection. distutils.file_util.write_file provides direct file write primitives and was omitted from the blocklist before version 0.0.33.
Attack Vector
An attacker publishes a malicious pickle or PyTorch checkpoint to a public model hub, package index, or shared storage location. A victim runs picklescan against the file, receives a clean verdict, and then loads the artifact with pickle.load or torch.load. During unpickling, the embedded reducer executes distutils.file_util.write_file and writes attacker-controlled bytes to paths such as ~/.bashrc, ~/.ssh/authorized_keys, cron directories, or Python site-packages files. Subsequent shell sessions, SSH logins, or Python imports execute the attacker payload. The attack requires no authentication and no user interaction beyond loading the model.
No verified proof-of-concept code is published in the referenced advisories. Technical details are available in the GitHub Security Advisory GHSA-m273-6v24-x4m4 and the VulnCheck Advisory.
Detection Methods for CVE-2025-71321
Indicators of Compromise
- Pickle or PyTorch files containing references to distutils.file_util or the write_file symbol in their opcode stream
- Unexpected modifications to shell startup files, SSH authorized keys, cron entries, or Python site-packages after model loading
- Python processes spawning child processes immediately after pickle.load or torch.load calls
- Files created or modified by Python interpreters in directories outside the active project workspace
Detection Strategies
- Statically scan pickle artifacts for GLOBAL opcodes that reference distutils, shutil, pathlib, or other modules exposing write primitives.
- Run pickle loading inside instrumented sandboxes that record file system syscalls and compare them to an expected baseline.
- Inventory installed picklescan versions across CI runners, MLOps platforms, and developer workstations to identify hosts below 0.0.33.
Monitoring Recommendations
- Enable file integrity monitoring on ~/.ssh, /etc/cron*, shell profile files, and Python site-packages directories on hosts that load external models.
- Forward process telemetry from ML training and inference nodes to a SIEM and alert on Python processes writing to sensitive system paths.
- Audit model registry uploads and capture hashes of pickle artifacts so that suspect files can be retrohunted after disclosure of new bypasses.
How to Mitigate CVE-2025-71321
Immediate Actions Required
- Upgrade picklescan to version 0.0.33 or later on every host, container image, and CI pipeline that performs pickle validation.
- Rescan all previously cleared pickle and PyTorch artifacts with the patched scanner and quarantine any that now trigger detections.
- Treat pickle files from untrusted sources as executable code and load them only inside isolated, ephemeral environments.
Patch Information
The maintainers fixed the vulnerability in picklescan version 0.0.33 by extending the dangerous import blocklist to cover distutils.file_util.write_file and related file write primitives. Refer to the GitHub Security Advisory GHSA-m273-6v24-x4m4 for the official fix details.
Workarounds
- Pin model ingestion pipelines to the safetensors format, which does not execute code during loading, and reject raw pickle uploads.
- Run pickle deserialization inside containers or sandboxes with read-only file system mounts and no network egress.
- Apply mandatory access controls such as AppArmor or SELinux profiles that deny Python interpreters write access to shell, SSH, and cron paths.
- Maintain an internal allow list of approved model publishers and require signature verification before any artifact reaches pickle.load.
# Configuration example
pip install --upgrade 'picklescan>=0.0.33'
picklescan --path /models/incoming/suspect_model.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

