Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71343

CVE-2025-71343: picklescan RCE Vulnerability Exploit

CVE-2025-71343 is a remote code execution vulnerability in picklescan before version 0.0.30 that allows attackers to bypass detection with malicious pickle files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71343 Overview

CVE-2025-71343 affects picklescan versions before 0.0.30, a security tool designed to detect malicious pickle files used in machine learning model distribution. The scanner fails to detect malicious payloads that abuse the lib2to3.pgen2.pgen.ParserGenerator.make_label function within a pickle __reduce__ method. Attackers can craft pickle files that bypass static detection but execute arbitrary commands when a victim calls pickle.load(). This weakness is categorized under [CWE-502] Deserialization of Untrusted Data. The flaw undermines a security control specifically built to protect AI/ML pipelines against supply chain attacks involving untrusted model files distributed through platforms like Hugging Face.

Critical Impact

Malicious pickle files bypass picklescan inspection and execute arbitrary code on any host that loads the crafted model, enabling supply chain compromise of ML pipelines.

Affected Products

  • picklescan versions prior to 0.0.30
  • Machine learning workflows relying on picklescan to validate untrusted pickle or PyTorch model files
  • CI/CD pipelines and model registries using picklescan as a gating scanner

Discovery Timeline

  • 2026-07-04 - CVE-2025-71343 published to the National Vulnerability Database
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2025-71343

Vulnerability Analysis

Python's pickle format serializes objects by recording instructions that reconstruct them during deserialization. The __reduce__ method on a class controls what callable and arguments the interpreter invokes when the object is unpickled. Attackers routinely abuse this to invoke functions such as os.system or subprocess.Popen.

picklescan mitigates this risk by inspecting pickle opcodes and flagging references to a known list of dangerous callables. The tool did not include lib2to3.pgen2.pgen.ParserGenerator.make_label in its unsafe globals list. Because make_label can be leveraged to reach code execution primitives during unpickling, an attacker can reference it in a __reduce__ payload and evade the scanner while still achieving execution on pickle.load().

The scope of exposure is significant for ML supply chains, where scanners like picklescan are the primary safeguard applied to third-party model artifacts.

Root Cause

The root cause is an incomplete deny list of dangerous callables in picklescan versions before 0.0.30. The scanner relies on enumerating known-bad symbols rather than enforcing a strict allow list, so any reachable callable outside the deny list (such as lib2to3.pgen2.pgen.ParserGenerator.make_label) becomes a viable bypass primitive [CWE-502].

Attack Vector

An attacker publishes a malicious pickle or PyTorch model file to a public repository, model hub, or shared storage location. A victim scans the file with picklescan, which reports it as clean. When the victim then loads the file with pickle.load() or torch.load(), the embedded __reduce__ payload referencing make_label executes attacker-controlled code with the privileges of the loading process. Exploitation requires user interaction to load the file but no authentication.

See the VulnCheck Advisory on PickleScan and the GitHub Security Advisory for the technical write-up.

Detection Methods for CVE-2025-71343

Indicators of Compromise

  • Pickle or PyTorch model files that contain references to lib2to3.pgen2.pgen.ParserGenerator or make_label in their opcode stream.
  • Python interpreter processes spawning shell, subprocess, or network utilities immediately after invoking pickle.load() or torch.load().
  • Model files downloaded from untrusted registries that pass picklescan but exhibit unexpected GLOBAL or REDUCE opcodes when inspected with pickletools.dis.

Detection Strategies

  • Run python -m pickletools -a <file> on suspect artifacts and review any c (GLOBAL) opcodes for unexpected module or function references.
  • Instrument ML loader hosts to log parent/child process trees around Python workloads and alert on shell invocations from model-loading services.
  • Enforce version pinning in CI so that picklescan builds prior to 0.0.30 fail dependency checks.

Monitoring Recommendations

  • Monitor outbound network connections from model-serving hosts for connections not associated with the model's declared behavior.
  • Track file writes, cron modifications, and credential access performed by Python processes hosting ML inference workloads.
  • Alert on new pickle-based model artifacts appearing in shared registries without provenance metadata or signatures.

How to Mitigate CVE-2025-71343

Immediate Actions Required

  • Upgrade picklescan to version 0.0.30 or later across all developer workstations, build agents, and model registries.
  • Rescan any pickle or PyTorch model files ingested from external sources using the patched scanner version.
  • Treat any model previously validated only by a vulnerable picklescan build as untrusted until re-verified.

Patch Information

The maintainers addressed CVE-2025-71343 in picklescan0.0.30 by extending the unsafe globals list to include the lib2to3.pgen2.pgen.ParserGenerator.make_label bypass primitive. Refer to the GitHub Security Advisory GHSA-p9w7-82w4-7q8m for the fix details and release notes.

Workarounds

  • Migrate model serialization to safer formats such as safetensors, which does not execute code on load.
  • Load untrusted pickle files only inside sandboxed environments with no network egress, restricted filesystem access, and non-privileged accounts.
  • Require cryptographic signatures on internally produced models and reject unsigned artifacts at ingestion time.
bash
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.30'

# Verify the installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"

# Rescan model artifacts after upgrading
picklescan --path ./models --log-level INFO

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.