CVE-2025-71345 Overview
CVE-2025-71345 affects picklescan versions prior to 0.0.30, a security tool designed to detect malicious pickle files before deserialization. The scanner fails to identify pickle files that invoke the torch.utils.bottleneck.__main__.run_autograd_prof function. Attackers embed this function call in a pickle payload to bypass detection and achieve arbitrary code execution when Python deserializes the file. The flaw is tracked under CWE-502: Deserialization of Untrusted Data and impacts machine learning pipelines that rely on picklescan to vet PyTorch model files sourced from public repositories.
Critical Impact
A crafted pickle file evades picklescan inspection and executes attacker-controlled code during model loading, enabling remote code execution in ML workflows.
Affected Products
- picklescan versions before 0.0.30
- PyTorch model loading workflows that depend on picklescan for validation
- ML pipelines ingesting untrusted .pkl or .pt files from public model hubs
Discovery Timeline
- 2026-07-04 - CVE-2025-71345 published to the National Vulnerability Database
- 2026-07-06 - Last updated in the NVD database
Technical Details for CVE-2025-71345
Vulnerability Analysis
picklescan inspects pickle streams for references to functions and modules known to enable code execution during unpickling. The scanner maintains an allowlist and denylist of imports, flagging dangerous callables such as os.system or subprocess.Popen. The tool does not classify torch.utils.bottleneck.__main__.run_autograd_prof as dangerous, despite the function's ability to execute arbitrary code paths when invoked by the pickle virtual machine.
An attacker publishes a poisoned PyTorch checkpoint on a model hub or shares it directly with a victim. When a developer runs picklescan against the file, the scanner reports the file as safe. Loading the file with pickle.load or torch.load triggers the embedded REDUCE opcode, which resolves the run_autograd_prof reference and executes attacker-supplied arguments in the Python process.
Root Cause
The root cause is incomplete coverage of dangerous callables within picklescan's detection ruleset. The scanner's blocklist did not include the torch.utils.bottleneck.__main__ module, allowing a legitimate PyTorch function to serve as a code execution primitive. This is a classic gap in denylist-based deserialization defenses tracked as [CWE-502].
Attack Vector
Exploitation requires a victim to download and process a malicious pickle file after scanning it with a vulnerable picklescan release. The attack vector is network-based through model distribution channels, and it requires user interaction to load the file. Once the pickle is deserialized, the payload runs with the privileges of the Python process, providing a foothold for credential theft, lateral movement, or supply chain compromise of downstream models.
See the GitHub Security Advisory GHSA-4whj-rm5r-c2v8 and the VulnCheck advisory for technical details.
Detection Methods for CVE-2025-71345
Indicators of Compromise
- Pickle files containing references to torch.utils.bottleneck.__main__.run_autograd_prof in their opcode stream
- Unexpected child processes spawned by Python interpreters shortly after torch.load or pickle.load calls
- Outbound network connections from data science workstations or ML training hosts immediately following model deserialization
Detection Strategies
- Statically inspect pickle files using pickletools.dis and flag any GLOBAL or STACK_GLOBAL opcode referencing torch.utils.bottleneck
- Update to picklescan0.0.30 or later, which includes the missing signature, and rescan cached model artifacts
- Correlate model file hashes against known malicious samples reported in vendor advisories
Monitoring Recommendations
- Log all invocations of torch.load, pickle.load, and pickle.loads in production ML pipelines with process ancestry
- Alert on Python processes executing shells, package managers, or network utilities after loading model files
- Track ingestion of third-party model artifacts and require scanning with a current picklescan version before use
How to Mitigate CVE-2025-71345
Immediate Actions Required
- Upgrade picklescan to version 0.0.30 or later across development, CI, and production environments
- Re-scan any pickle or PyTorch model files that were previously validated with an older picklescan release
- Restrict model loading to trusted internal registries and block direct downloads from public hubs until scans complete
Patch Information
The maintainers of picklescan released version 0.0.30, which adds torch.utils.bottleneck.__main__.run_autograd_prof to the set of dangerous callables detected during scanning. Refer to the GitHub Security Advisory GHSA-4whj-rm5r-c2v8 for release notes and fix commits.
Workarounds
- Prefer safer serialization formats such as safetensors for storing and distributing model weights
- Load untrusted pickle files inside sandboxed containers with no network egress and non-privileged accounts
- Enforce a strict allowlist of model publishers and verify checksums before deserialization
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

