CVE-2025-71339 Overview
CVE-2025-71339 affects Picklescan versions before 0.0.33, a security tool designed to detect malicious Python pickle files. The scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside pickle __reduce__ methods. Attackers can craft pickle files that bypass Picklescan validation and execute arbitrary Python code on deserialization. The vulnerability is classified under [CWE-502] Deserialization of Untrusted Data. Users who rely on Picklescan to vet machine learning model files or other serialized data face direct compromise when loading attacker-controlled pickles.
Critical Impact
Malicious pickle files marked as safe by Picklescan execute arbitrary Python code on the victim host, leading to full code execution in the loading process context.
Affected Products
- Picklescan versions prior to 0.0.33
- Machine learning pipelines that use Picklescan to validate model artifacts
- Workflows that deserialize third-party pickle files after Picklescan validation
Discovery Timeline
- 2026-06-22 - CVE-2025-71339 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-71339
Vulnerability Analysis
Picklescan inspects pickle files for known dangerous imports and callables that can trigger code execution during deserialization. The tool maintains a denylist of gadgets such as os.system, subprocess.Popen, and eval constructs. Versions before 0.0.33 omit the numpy.f2py.crackfortran._eval_length function from this denylist. The _eval_length helper internally invokes Python's eval() on its argument, providing a primitive for arbitrary expression execution. Attackers exploit this by placing the gadget inside a pickle __reduce__ method paired with an attacker-controlled string.
Root Cause
The root cause is incomplete gadget enumeration in the Picklescan denylist. The scanner treats numpy.f2py.crackfortran._eval_length as benign because it is buried in NumPy's Fortran interface code. The function nevertheless reaches eval() on caller-supplied input, satisfying the requirements of a pickle deserialization gadget.
Attack Vector
An attacker publishes a pickle file, often disguised as a pre-trained model, on a model hub, package index, or shared storage. The victim runs Picklescan against the file, receives a clean verdict, and loads the pickle with pickle.load or a framework wrapper such as torch.load. During unpickling, Python invokes the gadget through the __reduce__ protocol, calling numpy.f2py.crackfortran._eval_length on the attacker's payload string. The payload is evaluated by Python's eval(), yielding code execution under the user account running the loader. Refer to the GitHub Security Advisory and the VulnCheck Advisory for protocol-level details.
Detection Methods for CVE-2025-71339
Indicators of Compromise
- Pickle files containing references to numpy.f2py.crackfortran._eval_length in their opcode stream
- Unexpected child processes spawned by Python interpreters loading model files
- Outbound network connections initiated immediately after pickle.load, torch.load, or joblib.load calls
- Picklescan reports marking files as safe while static inspection reveals f2py.crackfortran imports
Detection Strategies
- Scan pickle files with pickletools.dis and search for GLOBAL opcodes referencing numpy.f2py.crackfortran._eval_length
- Upgrade Picklescan to 0.0.33 or later and re-scan previously approved artifacts
- Audit model repositories and shared storage for pickle files added before the upgrade
- Correlate Python process telemetry with pickle load events in endpoint detection data
Monitoring Recommendations
- Alert on Python processes spawning shells, curl, wget, or scripting interpreters shortly after model load operations
- Monitor file integrity on directories that store serialized model artifacts
- Log and review all calls to deserialization libraries in production inference services
How to Mitigate CVE-2025-71339
Immediate Actions Required
- Upgrade Picklescan to version 0.0.33 or later on every system that performs pickle validation
- Re-scan all pickle artifacts previously validated by an older Picklescan version
- Quarantine pickle files sourced from untrusted authors until they pass the updated scan
- Restrict permissions of accounts that load pickle files to limit blast radius
Patch Information
The maintainers fixed CVE-2025-71339 in Picklescan 0.0.33 by adding numpy.f2py.crackfortran._eval_length to the scanner's unsafe globals list. Install the patched release with pip install --upgrade picklescan. Review the GitHub Security Advisory GHSA-6556-fwc2-fg2p for full release notes.
Workarounds
- Replace pickle-based model formats with safer alternatives such as safetensors where feasible
- Load untrusted pickles only inside sandboxed containers without network access or sensitive credentials
- Block the numpy.f2py.crackfortran module path in custom unpickler classes that override find_class
- Treat any third-party pickle as untrusted regardless of scanner verdicts until the upgrade is verified
# Configuration example
pip install --upgrade 'picklescan>=0.0.33'
picklescan --path ./models --verbose
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

