Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71339

CVE-2025-71339: Picklescan RCE Vulnerability

CVE-2025-71339 is a remote code execution flaw in Picklescan before 0.0.33 that fails to detect malicious pickle files. Attackers can execute arbitrary Python code bypassing safety validation. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-71339 Overview

CVE-2025-71339 affects Picklescan versions before 0.0.33, a security tool designed to detect malicious Python pickle files. The scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside pickle __reduce__ methods. Attackers can craft pickle files that bypass Picklescan validation and execute arbitrary Python code on deserialization. The vulnerability is classified under [CWE-502] Deserialization of Untrusted Data. Users who rely on Picklescan to vet machine learning model files or other serialized data face direct compromise when loading attacker-controlled pickles.

Critical Impact

Malicious pickle files marked as safe by Picklescan execute arbitrary Python code on the victim host, leading to full code execution in the loading process context.

Affected Products

  • Picklescan versions prior to 0.0.33
  • Machine learning pipelines that use Picklescan to validate model artifacts
  • Workflows that deserialize third-party pickle files after Picklescan validation

Discovery Timeline

  • 2026-06-22 - CVE-2025-71339 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2025-71339

Vulnerability Analysis

Picklescan inspects pickle files for known dangerous imports and callables that can trigger code execution during deserialization. The tool maintains a denylist of gadgets such as os.system, subprocess.Popen, and eval constructs. Versions before 0.0.33 omit the numpy.f2py.crackfortran._eval_length function from this denylist. The _eval_length helper internally invokes Python's eval() on its argument, providing a primitive for arbitrary expression execution. Attackers exploit this by placing the gadget inside a pickle __reduce__ method paired with an attacker-controlled string.

Root Cause

The root cause is incomplete gadget enumeration in the Picklescan denylist. The scanner treats numpy.f2py.crackfortran._eval_length as benign because it is buried in NumPy's Fortran interface code. The function nevertheless reaches eval() on caller-supplied input, satisfying the requirements of a pickle deserialization gadget.

Attack Vector

An attacker publishes a pickle file, often disguised as a pre-trained model, on a model hub, package index, or shared storage. The victim runs Picklescan against the file, receives a clean verdict, and loads the pickle with pickle.load or a framework wrapper such as torch.load. During unpickling, Python invokes the gadget through the __reduce__ protocol, calling numpy.f2py.crackfortran._eval_length on the attacker's payload string. The payload is evaluated by Python's eval(), yielding code execution under the user account running the loader. Refer to the GitHub Security Advisory and the VulnCheck Advisory for protocol-level details.

Detection Methods for CVE-2025-71339

Indicators of Compromise

  • Pickle files containing references to numpy.f2py.crackfortran._eval_length in their opcode stream
  • Unexpected child processes spawned by Python interpreters loading model files
  • Outbound network connections initiated immediately after pickle.load, torch.load, or joblib.load calls
  • Picklescan reports marking files as safe while static inspection reveals f2py.crackfortran imports

Detection Strategies

  • Scan pickle files with pickletools.dis and search for GLOBAL opcodes referencing numpy.f2py.crackfortran._eval_length
  • Upgrade Picklescan to 0.0.33 or later and re-scan previously approved artifacts
  • Audit model repositories and shared storage for pickle files added before the upgrade
  • Correlate Python process telemetry with pickle load events in endpoint detection data

Monitoring Recommendations

  • Alert on Python processes spawning shells, curl, wget, or scripting interpreters shortly after model load operations
  • Monitor file integrity on directories that store serialized model artifacts
  • Log and review all calls to deserialization libraries in production inference services

How to Mitigate CVE-2025-71339

Immediate Actions Required

  • Upgrade Picklescan to version 0.0.33 or later on every system that performs pickle validation
  • Re-scan all pickle artifacts previously validated by an older Picklescan version
  • Quarantine pickle files sourced from untrusted authors until they pass the updated scan
  • Restrict permissions of accounts that load pickle files to limit blast radius

Patch Information

The maintainers fixed CVE-2025-71339 in Picklescan 0.0.33 by adding numpy.f2py.crackfortran._eval_length to the scanner's unsafe globals list. Install the patched release with pip install --upgrade picklescan. Review the GitHub Security Advisory GHSA-6556-fwc2-fg2p for full release notes.

Workarounds

  • Replace pickle-based model formats with safer alternatives such as safetensors where feasible
  • Load untrusted pickles only inside sandboxed containers without network access or sensitive credentials
  • Block the numpy.f2py.crackfortran module path in custom unpickler classes that override find_class
  • Treat any third-party pickle as untrusted regardless of scanner verdicts until the upgrade is verified
bash
# Configuration example
pip install --upgrade 'picklescan>=0.0.33'
picklescan --path ./models --verbose

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.