CVE-2025-71322 Overview
CVE-2025-71322 affects PickleScan, a Python library used to scan pickle files for malicious content before deserialization. Versions before 0.0.33 omit the pty.spawn function from the unsafe globals list. Attackers can craft pickle payloads that invoke pty.spawn to execute arbitrary commands when PickleScan processes the file. The flaw undermines the security boundary that machine learning pipelines and model hubs rely on to vet untrusted pickle artifacts. Exploitation requires a user or automated workflow to scan or load a malicious pickle file, after which code runs in the context of the scanning process.
Critical Impact
Attackers bypass PickleScan's safety checks and achieve arbitrary code execution on systems that process untrusted pickle files, including ML model scanning pipelines.
Affected Products
- PickleScan versions prior to 0.0.33
- Python machine learning pipelines that rely on PickleScan to vet pickle files
- Model registries and CI/CD systems integrating PickleScan as a safety gate
Discovery Timeline
- 2026-06-17 - CVE-2025-71322 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-71322
Vulnerability Analysis
PickleScan inspects pickle streams and flags references to dangerous globals such as os.system, subprocess.Popen, and builtins.eval. The scanner relies on an explicit deny list of module and function pairs considered unsafe. Version 0.0.33 introduces pty.spawn to that list after researchers demonstrated that the function had been omitted. Because the Python pty module is part of the standard library and pty.spawn accepts a command argument that it executes through a child process, it functions as an equivalent of os.system for the purposes of pickle exploitation. The weakness is classified under [CWE-693] Protection Mechanism Failure, indicating the defense itself is incomplete rather than a memory or logic flaw in deserialization.
Root Cause
The root cause is an incomplete deny list. PickleScan's unsafe globals registry did not enumerate pty.spawn, so pickle payloads referencing that function passed the scanner without warning. Any deny-list-based security control inherits this risk when new dangerous primitives are added to the underlying language or when existing primitives are overlooked.
Attack Vector
An attacker constructs a pickle file containing a REDUCE opcode that invokes pty.spawn with a shell command. The attacker delivers the file through a model hub, dataset bundle, or any channel where the victim runs PickleScan before loading the artifact. When PickleScan reports the file as safe and a downstream loader calls pickle.load, the pty.spawn callable executes the embedded command with the privileges of the loading process. The attack requires user interaction in the form of scanning or loading the malicious file.
// No verified public exploit code is available.
// Refer to the GitHub Security Advisory GHSA-hgrh-qx5j-jfwx for technical details.
Detection Methods for CVE-2025-71322
Indicators of Compromise
- Pickle files containing references to the pty module or the pty.spawn symbol within GLOBAL or STACK_GLOBAL opcodes
- PickleScan log entries reporting a file as safe immediately followed by spawned shell or terminal processes from the Python interpreter
- Unexpected child processes such as /bin/sh, bash, or cmd.exe parented to Python workers that load model artifacts
Detection Strategies
- Inspect pickle streams with a parser that enumerates every GLOBAL opcode and alert on any reference to pty, os, subprocess, posix, or nt modules
- Monitor process trees on machine learning training and inference hosts for Python processes that spawn interactive shells or pseudo-terminals
- Compare installed PickleScan versions across hosts against the fixed version 0.0.33 and flag older releases
Monitoring Recommendations
- Log all pickle file loads in ML pipelines with file hashes and source URLs to support retrospective hunts
- Enable command-line auditing on Linux through auditd and on Windows through process creation events to capture arguments passed to spawned shells
- Forward Python application logs and host telemetry to a centralized analytics platform for correlation across model ingestion workflows
How to Mitigate CVE-2025-71322
Immediate Actions Required
- Upgrade PickleScan to version 0.0.33 or later on every host, CI runner, and container image that scans pickle files
- Audit recently scanned pickle artifacts that the prior version cleared and rescan them with the patched release
- Restrict the privileges of accounts and service identities that load pickle files, removing shell and network access where possible
Patch Information
The maintainers fixed the issue in PickleScan 0.0.33 by adding pty.spawn to the unsafe globals list. Details are documented in the GitHub Security Advisory GHSA-hgrh-qx5j-jfwx and the VulnCheck advisory.
Workarounds
- Prefer safer serialization formats such as safetensors for model weights and JSON or Protocol Buffers for structured data
- Execute pickle loading inside sandboxed containers with no shell binaries, no outbound network access, and a read-only filesystem
- Maintain an allow list of trusted model publishers and verify signatures before any pickle file reaches a scanner or loader
# Upgrade PickleScan to the patched release
pip install --upgrade "picklescan>=0.0.33"
# Verify the installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

