CVE-2025-71342 Overview
CVE-2025-71342 is a security scanner bypass vulnerability in picklescan before version 0.0.30. The tool fails to detect malicious pickle files that abuse idlelib.run.Executive.runcode inside __reduce__ methods. Attackers can embed arbitrary Python code in pickle files that picklescan classifies as safe. When a downstream consumer calls pickle.load on the file, the embedded code executes in the loading process. This bypass affects PyTorch model loading workflows and creates a supply chain risk for machine learning pipelines that rely on picklescan as a gate for third-party models. The weakness is tracked as [CWE-502] Deserialization of Untrusted Data.
Critical Impact
Attackers can distribute weaponized PyTorch models that bypass picklescan detection and achieve remote code execution when the model is loaded.
Affected Products
- picklescan versions prior to 0.0.30
- PyTorch model loading pipelines using picklescan for pre-load validation
- ML supply chain workflows scanning Hugging Face or third-party pickle artifacts
Discovery Timeline
- 2026-07-04 - CVE-2025-71342 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71342
Vulnerability Analysis
picklescan maintains an allow/deny list of Python callables that pickle files may reference through the REDUCE opcode. The scanner inspects each GLOBAL opcode and flags known-dangerous imports such as os.system, subprocess.Popen, and builtins.exec. The scanner did not include idlelib.run.Executive.runcode in its list of dangerous callables. idlelib ships with the standard Python distribution, and Executive.runcode compiles and executes a string of Python source inside the current interpreter. A pickle file that references this callable through a __reduce__ method passes picklescan validation while still delivering arbitrary code execution on pickle.load.
Root Cause
The root cause is an incomplete deny list in the scanner's static analysis logic. picklescan treats callables that are not explicitly enumerated as benign. Any callable reachable through a standard-library import path that executes arbitrary code becomes a bypass primitive. idlelib.run.Executive.runcode is one such primitive, and other unreviewed callables in idlelib, pydoc, and similar modules present the same class of risk.
Attack Vector
Exploitation requires the victim to load an attacker-supplied pickle file. The typical delivery path is a malicious PyTorch checkpoint distributed through a model registry, a Git repository, or a shared storage bucket. The attacker crafts a class whose __reduce__ returns (idlelib.run.Executive.runcode, (payload_string,)). The victim runs picklescan against the file, receives a clean verdict, then calls torch.load or pickle.load. The unpickler invokes the reducer, and the payload string is compiled and executed with the privileges of the loading process. See the GitHub Security Advisory and the VulnCheck Advisory on Picklescan for the technical write-ups.
Detection Methods for CVE-2025-71342
Indicators of Compromise
- Pickle or PyTorch files containing GLOBAL opcodes that reference idlelib.run or idlelib.run.Executive.
- python or python3 processes spawning shells, network utilities, or download tools shortly after a torch.load or pickle.load call.
- Unexpected outbound connections initiated by ML training or inference workers immediately after model ingestion.
Detection Strategies
- Run pickletools.dis against untrusted pickle files and alert on any GLOBAL referencing idlelib, pydoc, runpy, or other execution-capable standard-library modules.
- Upgrade picklescan to 0.0.30 or later so the updated deny list flags idlelib.run.Executive.runcode.
- Correlate model file ingestion events with subsequent process creation to identify deserialization-triggered execution chains.
Monitoring Recommendations
- Log all invocations of torch.load, pickle.load, and joblib.load in ML pipelines and forward events to a centralized store.
- Monitor child processes of Python interpreters that host model loading services and alert on shell, compiler, or network binaries.
- Track versions of picklescan across build systems and CI runners to confirm the fixed release is deployed everywhere.
How to Mitigate CVE-2025-71342
Immediate Actions Required
- Upgrade picklescan to version 0.0.30 or later across development, CI, and production environments.
- Re-scan previously approved pickle and PyTorch artifacts with the patched scanner and quarantine any files that now trigger detections.
- Restrict model loading to sandboxed workers with no outbound network access and least-privilege file system permissions.
Patch Information
The maintainers released picklescan0.0.30, which adds idlelib.run.Executive.runcode and related callables to the dangerous-import list. Consult the GitHub Security Advisory GHSA-m869-42cg-3xwr for the full list of updated signatures and any additional callables blocked in the fix.
Workarounds
- Prefer safer serialization formats such as safetensors for model weights whenever the framework supports it.
- Load untrusted pickle files only inside isolated containers or virtual machines with no credentials or secrets mounted.
- Enforce cryptographic signature verification on model artifacts before any deserialization step runs.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

