CVE-2025-71325 Overview
CVE-2025-71325 is a parsing logic flaw in picklescan versions before 0.0.27, a security scanner that detects suspicious actions in Python pickle files. The vulnerability resides in the _list_globals function when it handles STACK_GLOBAL opcodes. The function fails to track arguments in the correct range, allowing malicious pickle files to evade detection. Attackers can craft pickle files with arguments positioned at index zero to trigger unexpected exceptions and bypass the scanner. Because picklescan is widely used to vet machine learning models distributed as pickle files, this flaw undermines a core defense against insecure deserialization attacks targeting AI/ML supply chains.
Critical Impact
Attackers can smuggle malicious pickle payloads past picklescan scanning, enabling arbitrary code execution when the file is later deserialized by a downstream consumer.
Affected Products
- picklescan Python package, all versions before 0.0.27
- Machine learning pipelines that rely on picklescan to vet pickled models
- Model hubs and CI/CD workflows integrating picklescan as a gating control
Discovery Timeline
- 2026-06-17 - CVE-2025-71325 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-71325
Vulnerability Analysis
The Python pickle format is a stack-based serialization protocol. Opcodes push values onto a stack, and STACK_GLOBAL consumes the top two stack items as the module name and attribute name to import. picklescan walks the opcode stream and attempts to enumerate imported globals so it can flag dangerous symbols such as os.system or subprocess.Popen.
The _list_globals routine reconstructs which globals will be resolved when STACK_GLOBAL opcodes are encountered. Due to an off-by-one or incorrect index range when locating the two arguments on the stack, a crafted pickle that places its module/attribute strings at stack position zero causes the function to either raise an exception or fail to record the global. The scanner treats the exception as a parse-level issue rather than malicious behavior, allowing the file to pass review.
The issue is categorized as [CWE-391] Unchecked Error Condition, reflecting that the parser's error handling masks the malicious indicator rather than surfacing it.
Root Cause
The defect is purely a logic error in stack indexing inside _list_globals. The function assumes STACK_GLOBAL arguments occupy a specific range on the reconstructed stack but does not handle the boundary case where those arguments sit at position zero. The exception that follows is silently absorbed, producing a clean scan result for a file that still resolves to dangerous imports at unpickle time.
Attack Vector
An attacker publishes a malicious pickle file, such as a Hugging Face model or shared .pkl artifact, that uses STACK_GLOBAL with arguments at stack position zero. A victim runs picklescan against the file, which reports no findings. The victim then loads the file with pickle.load, at which point the embedded globals resolve to attacker-controlled callables and execute code in the victim's process.
Patch Reference
The maintainer addressed the flaw in version 0.0.26 and follow-up releases. The version bump is visible in the upstream commit:
[metadata]
name = picklescan
-version = 0.0.25
+version = 0.0.26
author = Matthieu Maitre
author_email = mmaitre314@users.noreply.github.com
description = Security scanner detecting Python Pickle files performing suspicious actions
Source: GitHub Commit 2a8383c
Detection Methods for CVE-2025-71325
Indicators of Compromise
- Pickle files where picklescan raises a parse exception but returns no global findings
- .pkl, .pt, .bin, or .ckpt artifacts containing STACK_GLOBAL opcodes with adjacent zero-indexed string arguments
- Outbound network connections or child process spawns immediately after pickle.load or torch.load calls
- Untrusted model files downloaded from public hubs without provenance verification
Detection Strategies
- Re-scan all historical pickle artifacts with picklescan>=0.0.27 and compare results against prior scans for newly flagged files.
- Use complementary tools such as fickling or manual pickletools.dis review to cross-validate picklescan output on high-risk artifacts.
- Hunt for Python processes that invoke pickle.Unpickler and subsequently spawn shells, curl, wget, or PowerShell.
Monitoring Recommendations
- Log every invocation of picklescan in CI/CD pipelines along with the scanned file hash and result.
- Alert when a Python interpreter loading a pickle artifact initiates outbound network traffic or writes to sensitive paths.
- Track installed picklescan versions across developer workstations and build agents to confirm patch coverage.
How to Mitigate CVE-2025-71325
Immediate Actions Required
- Upgrade picklescan to version 0.0.27 or later in every environment that scans pickle files.
- Re-evaluate any pickle artifact previously cleared by a vulnerable scanner before trusting it in production.
- Treat pickle files from untrusted sources as code, not data, and execute them only inside sandboxes.
Patch Information
Upgrade picklescan to 0.0.27 or newer. See the GitHub Security Advisory GHSA-9gvj-pp9x-gcfr and the VulnCheck Security Advisory for full technical context.
Workarounds
- Prefer safer model serialization formats such as safetensors over pickle whenever feasible.
- Layer multiple pickle scanners and require all to pass before accepting an artifact.
- Restrict pickle.load operations to network-isolated sandboxes with no credentials or secrets mounted.
- Sign and verify internal pickle artifacts so unsigned files are rejected at load time.
# Upgrade picklescan and verify the installed version
pip install --upgrade 'picklescan>=0.0.27'
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
# Re-scan a directory of pickle artifacts with the patched version
picklescan --path ./models --globals-list
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

