CVE-2025-71344 Overview
CVE-2025-71344 is an arbitrary code execution vulnerability in picklescan, a security tool used to scan Python pickle files for malicious payloads. Versions 0.0.26 and earlier fail to detect the ensurepip._run_pip built-in function during scanning. Attackers craft malicious pickle files that embed ensurepip._run_pip calls inside __reduce__ methods, bypassing picklescan detection. When the targeted application invokes pickle.load() on the file, the embedded payload executes, achieving remote code execution. The flaw is tracked under CWE-502: Deserialization of Untrusted Data.
Critical Impact
Attackers can bypass picklescan static analysis and execute arbitrary code on systems that deserialize untrusted pickle files, including machine learning model loading pipelines.
Affected Products
- picklescan versions 0.0.26 and earlier
- Python applications and ML pipelines relying on picklescan to validate untrusted pickle files
- Hugging Face model loaders and similar workflows that integrate picklescan as a safety check
Discovery Timeline
- 2026-06-22 - CVE-2025-71344 published to the National Vulnerability Database
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-71344
Vulnerability Analysis
The picklescan library maintains a denylist of functions and modules considered dangerous when encountered during pickle deserialization. The scanner inspects pickle opcodes and flags imports of known code execution primitives such as os.system, subprocess.Popen, and builtins.exec. The library's denylist omits ensurepip._run_pip, a built-in helper that invokes the pip package manager. An attacker who controls a pickle file can therefore embed this function and execute arbitrary pip commands, including installing attacker-controlled packages that run setup-time code.
The issue is significant because picklescan is frequently deployed as a guardrail before loading machine learning models distributed as pickle files. A pickle that passes picklescan validation is implicitly trusted, so a successful bypass converts a defensive control into a false assurance of safety.
Root Cause
The root cause is an incomplete denylist within picklescan's scanning logic. ensurepip._run_pip is a callable exposed through Python's standard library and reachable via pickle's GLOBAL opcode. Because the function was not enumerated as dangerous, the scanner returned a clean verdict even when the opcode stream resolved to it. Version 0.0.30 adds the function to the denylist, restoring detection.
Attack Vector
Exploitation requires an attacker to deliver a malicious pickle file to a victim that uses picklescan before calling pickle.load(). The attacker constructs a class whose __reduce__ method returns (ensurepip._run_pip, (args,)). When picklescan inspects the file, the call target is not flagged. When the application subsequently deserializes the file, Python resolves the reference and invokes ensurepip._run_pip with attacker-supplied arguments, which can trigger installation of arbitrary packages and execution of their installation hooks. Distribution channels include public model hubs, shared notebooks, and third-party datasets. Refer to the GitHub Security Advisory GHSA-xp4f-hrf8-rxw7 and the VulnCheck Advisory on Picklescan for technical details.
Detection Methods for CVE-2025-71344
Indicators of Compromise
- Pickle files containing GLOBAL opcodes referencing ensurepip._run_pip or the ensurepip module
- Unexpected pip install processes spawned by Python application or ML training workloads
- Outbound network connections from data science hosts to package indexes immediately after model loading
- Newly installed Python packages in environments that load third-party pickle artifacts
Detection Strategies
- Statically inspect pickle files for any reference to ensurepip, pip, or _run_pip symbols prior to deserialization
- Hook pickle.Unpickler.find_class in application code to log and block resolution of unexpected modules
- Correlate model-loading events with subsequent process creation and package installation activity
- Compare installed picklescan version against 0.0.30 or later during software composition analysis scans
Monitoring Recommendations
- Log all child processes spawned by Python interpreters that handle untrusted serialized data
- Alert on pip execution originating from non-interactive service accounts or container workloads
- Monitor file integrity for the Python site-packages directory in production inference environments
- Track network egress to PyPI and mirror endpoints from hosts that should not install packages at runtime
How to Mitigate CVE-2025-71344
Immediate Actions Required
- Upgrade picklescan to version 0.0.30 or later in every environment that scans untrusted pickle files
- Audit machine learning pipelines and model registries for pickle files received before the upgrade
- Replace pickle-based model serialization with safer formats such as safetensors where feasible
Patch Information
The maintainers of picklescan fixed CVE-2025-71344 in version 0.0.30 by adding ensurepip._run_pip to the denylist used during pickle opcode scanning. Users should pin picklescan>=0.0.30 in dependency manifests and rebuild container images that bundle the library. Full remediation details are available in the GitHub Security Advisory GHSA-xp4f-hrf8-rxw7.
Workarounds
- Treat picklescan output as advisory only and refuse to deserialize pickle files from untrusted sources
- Execute pickle loading in sandboxed environments with no network egress and restricted filesystem access
- Enforce code review on every model artifact pulled from public hubs before promotion to production
- Implement a custom Unpickler that allowlists a narrow set of acceptable classes and rejects all others
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

