CVE-2025-71348 Overview
CVE-2025-71348 affects picklescan versions before 0.0.28, a security scanner designed to detect malicious Python pickle files. The scanner fails to flag pickle files that invoke torch.utils._config_module.load_config within __reduce__ methods. Attackers can embed arbitrary code in pickle files that evades static analysis but executes during pickle.load. This bypass enables remote code execution in machine learning supply chain attacks, particularly against workflows that load PyTorch model artifacts from untrusted sources. The vulnerability is classified under [CWE-502] Deserialization of Untrusted Data.
Critical Impact
Attackers can distribute weaponized PyTorch model files that pass picklescan validation yet execute arbitrary code on the victim host during model loading.
Affected Products
- picklescan Python package versions prior to 0.0.28
- Machine learning pipelines using picklescan to validate PyTorch artifacts
- Model hubs and CI/CD workflows scanning third-party pickle files
Discovery Timeline
- 2026-06-21 - CVE-2025-71348 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2025-71348
Vulnerability Analysis
The Python pickle format permits arbitrary callable invocation through the __reduce__ protocol. When an object is unpickled, the interpreter executes the callable returned by __reduce__ with the supplied arguments. picklescan mitigates this risk by maintaining a denylist of dangerous callables and inspecting pickle opcodes for references to them.
The scanner does not include torch.utils._config_module.load_config in its denylist. This PyTorch helper accepts a configuration payload that can include executable Python. An attacker constructs a pickle whose __reduce__ returns (torch.utils._config_module.load_config, (payload,)). The scanner inspects the pickle, finds no known-malicious reference, and reports the file as safe. When the consumer calls pickle.load or torch.load, the callable executes the embedded payload.
Root Cause
The root cause is incomplete coverage in the picklescan denylist of callables that lead to code execution. The detection model relies on enumerating dangerous symbols rather than restricting deserialization to an allowlist of safe types. Any newly discovered execution sink in PyTorch or its dependencies bypasses the scanner until the denylist is updated.
Attack Vector
Exploitation requires the victim to load an attacker-controlled pickle file after picklescan reports it clean. Typical delivery vectors include model files hosted on public model hubs, shared research artifacts, and dependency packages bundling serialized objects. User interaction is required to trigger loading of the malicious artifact. See the GitHub Security Advisory and the Vulncheck Advisory on Picklescan for technical details on the bypass primitive.
Detection Methods for CVE-2025-71348
Indicators of Compromise
- Pickle or PyTorch model files containing references to torch.utils._config_module.load_config in their opcode stream
- picklescan versions below 0.0.28 present in build, CI, or runtime environments
- Unexpected child processes spawned by Python interpreters immediately after torch.load or pickle.load calls
Detection Strategies
- Statically inspect pickle files for GLOBAL opcodes referencing torch.utils._config_module and flag for manual review
- Audit ML pipelines and model registries for artifacts ingested before the picklescan upgrade to 0.0.28
- Compare installed picklescan versions across repositories and container images against the fixed release
Monitoring Recommendations
- Log all invocations of pickle.load and torch.load against external or user-supplied files with originating path
- Alert on Python processes performing network egress, shell execution, or file writes shortly after model load events
- Track downloads of model artifacts from public hubs and correlate hashes with known-safe baselines
How to Mitigate CVE-2025-71348
Immediate Actions Required
- Upgrade picklescan to version 0.0.28 or later across developer workstations, CI runners, and production scanners
- Rescan all previously validated pickle and PyTorch model files using the patched version
- Quarantine model artifacts from untrusted sources until rescanned
- Prefer safer serialization formats such as safetensors for distributing model weights
Patch Information
The fix is available in picklescan0.0.28, which extends the denylist to cover torch.utils._config_module.load_config. Refer to the GitHub Security Advisory for release notes and the upstream commit.
Workarounds
- Restrict pickle.load and torch.load to files originating from cryptographically verified, internal sources
- Run model loading in sandboxed containers with no network egress and minimal filesystem access
- Implement an allowlist of permitted callables when deserialization is unavoidable, using a custom Unpickler.find_class
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.28'
# Verify the installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
# Rescan a model artifact
picklescan --path /path/to/model.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

