Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71341

CVE-2025-71341: picklescan RCE Vulnerability

CVE-2025-71341 is a remote code execution flaw in picklescan before version 0.0.29 that fails to detect malicious code in pickle files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71341 Overview

CVE-2025-71341 affects picklescan versions before 0.0.29, a security tool used to scan Python pickle files for malicious code. The scanner fails to detect the profile.Profile.runctx function when analyzing pickle files. Attackers can craft malicious pickle files that invoke profile.Profile.runctx inside the __reduce__ method to achieve remote code execution when the pickle is loaded. The flaw is classified under CWE-502: Deserialization of Untrusted Data. Because picklescan is commonly used to vet machine learning model artifacts distributed as pickle files, downstream ML pipelines that rely on it for safety checks can be compromised silently.

Critical Impact

Remote attackers can bypass picklescan detection and execute arbitrary code on systems that load attacker-controlled pickle files, including ML model files validated by the scanner.

Affected Products

  • picklescan versions prior to 0.0.29
  • Machine learning workflows that rely on picklescan to validate pickle-serialized model files
  • Python applications using picklescan as a pre-load safety check for untrusted pickle data

Discovery Timeline

  • 2026-06-23 - CVE-2025-71341 published to the National Vulnerability Database (NVD)
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2025-71341

Vulnerability Analysis

The vulnerability is an insecure deserialization bypass in picklescan, a static analyzer that inspects pickle opcodes and the global imports they reference to flag dangerous callables. The scanner maintains a denylist of known dangerous functions such as os.system, subprocess.Popen, and eval. The function profile.Profile.runctx from the Python standard library profile module is not present on that denylist. profile.Profile.runctx executes a string of Python code in a given globals and locals context, providing a direct primitive for arbitrary code execution.

When a malicious pickle file references profile.Profile.runctx via a __reduce__ method, picklescan returns a clean verdict. The host application then calls pickle.load() on the file, which invokes runctx and executes attacker-supplied Python code. This is particularly impactful in ML supply chains where model files are downloaded from public repositories and scanned before loading.

Root Cause

The root cause is an incomplete denylist in the picklescan analyzer. The scanner enumerates known dangerous imports but omitted the profile.Profile.runctx callable, leaving a deserialization gadget reachable without triggering an alert. Denylist-based protection against pickle deserialization is fragile because the Python standard library exposes many callables that accept arbitrary code or commands.

Attack Vector

The attack vector is network-based with user interaction required, meaning a victim must load the malicious pickle file. A typical exploitation path involves the attacker publishing a poisoned model or data artifact to a model hub or package index. The victim downloads the artifact, runs picklescan which reports it as safe, and then calls pickle.load(). During unpickling, the embedded __reduce__ tuple references profile.Profile.runctx with attacker-controlled Python source as its argument, resulting in remote code execution in the context of the loading process.

The vulnerability manifests through pickle's reduction protocol. See the GitHub Security Advisory GHSA-6vqj-c2q5-j97w and the VulnCheck Remote Code Execution Advisory for technical details.

Detection Methods for CVE-2025-71341

Indicators of Compromise

  • Pickle files that import the profile module or reference profile.Profile.runctx in their opcode stream
  • Unexpected child processes spawned by Python interpreters immediately after loading pickle or ML model files
  • picklescan versions earlier than 0.0.29 present in build, CI, or runtime environments
  • Outbound network connections from data science workloads shortly after loading third-party model artifacts

Detection Strategies

  • Inspect pickle files with pickletools.dis() and flag any GLOBAL or STACK_GLOBAL opcodes that reference the profile module, in addition to the existing denylist
  • Enforce allowlist-based pickle loading using pickle.Unpickler subclasses that override find_class() to permit only known-safe types
  • Maintain a software bill of materials (SBOM) and alert on installations of picklescan below version 0.0.29

Monitoring Recommendations

  • Monitor Python processes for unexpected execution of code paths originating from the profile module during model loading
  • Log and review all pickle deserialization events on data science and inference hosts
  • Track outbound network activity from ML training and inference workloads to detect post-exploitation callbacks

How to Mitigate CVE-2025-71341

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later across all build, CI, and runtime environments
  • Re-scan previously validated pickle and model artifacts using the patched scanner before trusting them
  • Treat all pickle files from untrusted sources as executable code, regardless of prior scan results

Patch Information

The maintainers released picklescan version 0.0.29, which adds detection for profile.Profile.runctx and related deserialization gadgets. Refer to the GitHub Security Advisory GHSA-6vqj-c2q5-j97w for the full advisory and patch reference.

Workarounds

  • Prefer safer serialization formats such as safetensors for ML model weights instead of pickle
  • Load untrusted pickle files inside sandboxed environments with no network egress and minimal filesystem privileges
  • Implement a custom Unpickler.find_class() that allowlists only required classes and rejects all standard library callables, including the profile module
bash
# Upgrade picklescan to the patched version
pip install --upgrade 'picklescan>=0.0.29'

# Verify installed version
python -c "import picklescan; print(picklescan.__version__)"

# Scan a pickle or model file with the patched scanner
picklescan --path ./model.pkl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.