CVE-2025-71347 Overview
CVE-2025-71347 is an insecure deserialization vulnerability [CWE-502] in picklescan versions before 0.0.33. The scanner fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.param_eval inside __reduce__ methods. Attackers can craft pickle payloads that pass picklescan inspection and then execute arbitrary code during deserialization. Applications that rely on picklescan to vet untrusted machine learning models or serialized objects are exposed to remote code execution. The flaw impacts any pipeline that loads third-party pickle artifacts, including model hubs, inference services, and MLOps automation.
Critical Impact
Attackers can bypass picklescan static analysis and achieve arbitrary code execution on any host that deserializes an attacker-supplied pickle file.
Affected Products
- picklescan versions prior to 0.0.33
- Machine learning pipelines that scan pickle artifacts with picklescan
- Applications loading untrusted pickle data validated by picklescan
Discovery Timeline
- 2026-07-04 - CVE-2025-71347 published to the National Vulnerability Database
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71347
Vulnerability Analysis
picklescan inspects pickle files for dangerous callables before deserialization. The scanner maintains allow and deny lists that flag known code-execution primitives such as os.system, subprocess.Popen, and eval. Versions before 0.0.33 do not treat numpy.f2py.crackfortran.param_eval as dangerous. This function calls Python's eval internally on its input, converting an apparently benign numeric parser into an arbitrary code execution primitive.
An attacker builds a class whose __reduce__ method returns (numpy.f2py.crackfortran.param_eval, ("<python expression>",)). When the victim scans the resulting pickle file with picklescan, the tool reports the artifact as safe. Subsequent deserialization via pickle.load triggers the reducer, invokes param_eval, and evaluates the attacker's expression in the loading process.
Root Cause
The root cause is an incomplete deny list within picklescan. The scanner enumerates known dangerous imports but does not account for indirect execution sinks reachable through numpy.f2py. Because crackfortran.param_eval wraps eval without input sanitization, any reference to it inside a pickle stream constitutes a code-execution gadget that the scanner misses.
Attack Vector
Exploitation is network-reachable and requires user interaction, typically the act of loading a downloaded model or artifact. A remote attacker publishes a poisoned pickle file to a model repository, dataset share, or artifact registry. The victim runs picklescan as part of a supply-chain check, receives a clean result, and then loads the file with pickle.load or a framework wrapper such as torch.load. Deserialization invokes the attacker-controlled param_eval payload and executes arbitrary Python code with the privileges of the loading process. See the VulnCheck Remote Code Execution Advisory for additional detail on the gadget.
Detection Methods for CVE-2025-71347
Indicators of Compromise
- Pickle files containing references to numpy.f2py.crackfortran.param_eval in their opcode stream
- Python processes spawning unexpected shells or network connections shortly after calls to pickle.load or torch.load
- picklescan scan results marking files as clean while the artifact contains f2py imports
- Model artifacts from untrusted sources with __reduce__ methods referencing numeric parsing helpers
Detection Strategies
- Parse pickle files with pickletools.dis and search for GLOBAL opcodes referencing numpy.f2py.crackfortran modules.
- Add numpy.f2py.crackfortran.param_eval to custom deny lists in any static analysis wrapping picklescan.
- Correlate model download events with subsequent child process creation from Python interpreters.
Monitoring Recommendations
- Log all invocations of pickle.load, pickle.loads, and torch.load in production ML services and alert on non-baseline callers.
- Monitor outbound network activity from inference workers, which typically operate on fixed egress patterns.
- Track the installed version of picklescan across build agents and require version 0.0.33 or later.
How to Mitigate CVE-2025-71347
Immediate Actions Required
- Upgrade picklescan to version 0.0.33 or later across development, CI, and production environments.
- Rescan any pickle artifacts ingested from third parties using the patched version before reuse.
- Restrict pickle loading to signed, internally produced artifacts and reject externally sourced pickles by default.
- Isolate model-loading workers in sandboxed containers with minimal network egress and no credentials.
Patch Information
The maintainers fixed the issue in picklescan 0.0.33 by extending the dangerous-globals list to include numpy.f2py.crackfortran.param_eval. Details are documented in the GitHub Security Advisory. Upgrade using pip install --upgrade picklescan and pin the minimum version in dependency manifests.
Workarounds
- Prefer safer serialization formats such as safetensors for model weights where feasible.
- Add a project-level deny list that flags any pickle referencing numpy.f2py modules until dependencies are patched.
- Run pickle deserialization in a restricted subprocess with seccomp or container-level syscall filtering.
# Upgrade picklescan and verify the installed version
pip install --upgrade 'picklescan>=0.0.33'
python -c "import picklescan, sys; print(picklescan.__version__)"
# Quick triage: list global imports referenced by a pickle file
python -m pickletools -a suspect_model.pkl | grep -i 'f2py\|crackfortran\|param_eval'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

