Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71323

CVE-2025-71323: picklescan RCE Vulnerability

CVE-2025-71323 is a remote code execution vulnerability in picklescan before version 0.0.33 that allows attackers to bypass sandbox protections using ctypes. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71323 Overview

CVE-2025-71323 is a remote code execution vulnerability in picklescan versions before 0.0.33. The tool fails to include the Python ctypes module in its blocklist when scanning pickle files for malicious content. Attackers can craft pickle payloads that import ctypes.WinDLL, load kernel32.dll, and execute arbitrary commands through direct syscalls and raw memory access. This bypasses both the sandbox protections and the gadget chain detection logic that picklescan provides to machine learning model consumers. The flaw maps to CWE-184: Incomplete List of Disallowed Inputs.

Critical Impact

Attackers can achieve unauthenticated remote code execution on systems that rely on picklescan to validate untrusted machine learning model files.

Affected Products

  • picklescan versions prior to 0.0.33
  • Python environments scanning untrusted pickle or ML model files with vulnerable picklescan releases
  • Windows hosts where ctypes.WinDLL and kernel32.dll are reachable

Discovery Timeline

  • 2026-06-17 - CVE-2025-71323 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-71323

Vulnerability Analysis

picklescan inspects pickle files for dangerous imports and call patterns before they are deserialized. The scanner maintains a blocklist of Python modules and functions that are known to enable code execution. Versions before 0.0.33 omit the ctypes module from this list. An attacker who crafts a malicious pickle can reference ctypes symbols during unpickling without triggering an alert.

When the consumer of the pickle file proceeds to load the model, the embedded payload invokes ctypes.WinDLL to map kernel32.dll into the process. From there the payload calls Windows APIs directly, executes shellcode in allocated memory, and runs arbitrary commands. Because ctypes provides a direct bridge to native code, the attacker can sidestep Python-level sandboxing entirely.

Root Cause

The root cause is an incomplete denylist. picklescan enumerates known dangerous modules such as os, subprocess, and builtins, but does not treat ctypes and its submodules as equivalent code execution primitives. Any review tool that relies on enumeration of bad inputs rather than allowlisting is structurally exposed to this class of bypass.

Attack Vector

The attack vector is network-reachable in practice: malicious pickle files are typically distributed through public model hubs, package repositories, or shared datasets. A victim downloads a model that passes picklescan validation, loads it with pickle.load or a framework wrapper such as torch.load, and the embedded ctypes reducer executes. The attacker requires no authentication and no user interaction beyond the routine act of loading a scanned model.

A malicious pickle uses a __reduce__ method that returns a callable referencing ctypes.WinDLL. During unpickling, Python instantiates the callable with attacker-supplied arguments, loads kernel32.dll, and resolves functions such as VirtualAlloc, RtlMoveMemory, and CreateThread to execute shellcode in the host process. See the GitHub Security Advisory GHSA-4675-36f9-wf6r and the VulnCheck advisory on picklescan for technical details.

Detection Methods for CVE-2025-71323

Indicators of Compromise

  • Pickle or ML model files that contain references to ctypes, ctypes.WinDLL, ctypes.CDLL, or kernel32.dll in their serialized opcodes
  • Python processes that load kernel32.dll shortly after deserializing a model file
  • Unexpected child processes spawned by Python interpreters or ML training and inference workers

Detection Strategies

  • Statically inspect pickle opcodes with pickletools.dis and flag any GLOBAL or STACK_GLOBAL opcode referencing ctypes or other native-code modules
  • Run model loading in an isolated environment and monitor for LoadLibrary calls targeting kernel32.dll, ntdll.dll, or other system libraries
  • Compare installed picklescan versions against 0.0.33 across CI pipelines and data science workstations

Monitoring Recommendations

  • Audit endpoint telemetry for Python processes that allocate executable memory using VirtualAlloc with PAGE_EXECUTE_READWRITE
  • Alert on Python child processes invoking cmd.exe, powershell.exe, or rundll32.exe from ML workflow directories
  • Track outbound network connections initiated by Python interpreters immediately after model loads

How to Mitigate CVE-2025-71323

Immediate Actions Required

  • Upgrade picklescan to version 0.0.33 or later in every environment that processes untrusted pickle files
  • Rescan any previously cleared model files with the patched version to identify payloads that exploited the ctypes gap
  • Treat all pickle files from untrusted sources as executable code until they are validated by the fixed scanner

Patch Information

The maintainer addressed the issue in picklescan0.0.33 by adding ctypes and related native-code modules to the blocklist. Refer to the GitHub Security Advisory GHSA-4675-36f9-wf6r for the authoritative fix details and version guidance.

Workarounds

  • Prefer safer serialization formats such as safetensors for distributing model weights
  • Load untrusted pickle files only inside sandboxed containers with no network egress and minimal filesystem access
  • Apply a custom pickle.Unpickler subclass that overrides find_class to allowlist a small set of expected classes and reject ctypes
bash
# Upgrade picklescan to the fixed release
pip install --upgrade "picklescan>=0.0.33"

# Verify the installed version
python -c "import picklescan; print(picklescan.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.