Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71349

CVE-2025-71349: picklescan RCE Vulnerability

CVE-2025-71349 is a remote code execution flaw in picklescan before version 0.0.29 that fails to detect malicious trace.Trace.run functions in pickle files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71349 Overview

CVE-2025-71349 affects picklescan versions before 0.0.29, a security scanner designed to detect malicious code in Python pickle files. The scanner fails to identify the built-in trace.Trace.run function during analysis. Attackers can embed this function in the __reduce__ method of a crafted pickle file to bypass detection entirely. When pickle.load processes the file, arbitrary code executes on the target system. This flaw undermines the core protection picklescan provides for machine learning workflows that ingest untrusted pickle-serialized models. The vulnerability is tracked under CWE-502: Deserialization of Untrusted Data.

Critical Impact

Remote attackers can achieve arbitrary code execution on systems processing pickle files that were incorrectly certified as safe by picklescan.

Affected Products

  • picklescan versions prior to 0.0.29
  • Machine learning pipelines relying on picklescan to vet untrusted pickle artifacts
  • Model repositories and inference services loading third-party pickle files

Discovery Timeline

  • 2026-06-30 - CVE-2025-71349 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2025-71349

Vulnerability Analysis

The picklescan project statically analyzes pickle streams to flag dangerous callables invoked through opcode instructions such as REDUCE. Its safety determination depends on an allow/deny list of known-dangerous functions. The scanner did not include trace.Trace.run from the Python standard library in its detection logic. trace.Trace.run accepts a code string and executes it inside an instrumented execution context, providing an equivalent capability to exec. Because the scanner returned a clean verdict for pickles referencing this function, downstream systems treated malicious payloads as safe.

Root Cause

The root cause is incomplete coverage of dangerous callables in the picklescan detector. Any Python callable that evaluates arbitrary code can be abused through the pickle __reduce__ protocol. The maintainers missed trace.Trace.run when enumerating exec-equivalent functions, leaving a gap in the deny list. Signature-based scanning of pickle streams is inherently fragile because the Python standard library exposes many indirect execution primitives.

Attack Vector

An attacker crafts a pickle file whose __reduce__ method returns (trace.Trace().run, ("malicious_python_code",)). The victim downloads or receives the file, runs picklescan against it, and receives a benign result. When the victim later calls pickle.load on the same file, trace.Trace.run executes the attacker-supplied code with the privileges of the loading process. Delivery vectors include poisoned model files on public hubs, supply chain compromises, and shared datasets. Exploitation requires user interaction to load the pickle. Consult the GitHub Security Advisory GHSA-5qwp-399c-mjwf and the VulnCheck Advisory on Picklescan for further technical detail.

Detection Methods for CVE-2025-71349

Indicators of Compromise

  • Pickle files containing references to the trace module or the trace.Trace class in their opcode stream
  • picklescan scan reports issued by versions earlier than 0.0.29 marking files as safe despite embedded REDUCE opcodes
  • Unexpected child processes spawned by Python interpreters shortly after pickle.load or torch.load calls
  • Outbound network connections initiated by model-serving processes immediately after model deserialization

Detection Strategies

  • Inspect pickle files with pickletools.dis and flag any GLOBAL opcode referencing trace Trace or other exec-equivalent callables
  • Correlate model-loading events with process creation and network telemetry to identify anomalous execution originating from Python runtimes
  • Track deployed picklescan versions across build pipelines and block scan results generated by versions below 0.0.29

Monitoring Recommendations

  • Alert on python or python3 processes spawning shells, curl, wget, or other living-off-the-land binaries following model loads
  • Log all pickle file ingestions in ML inference and training environments with hashes and origin metadata
  • Monitor package manifests to detect downgrades of picklescan below the fixed version

How to Mitigate CVE-2025-71349

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later across all developer workstations, CI pipelines, and production scanners
  • Re-scan any pickle artifacts previously certified as safe by earlier picklescan versions
  • Quarantine untrusted pickle files sourced from public model hubs until re-validated

Patch Information

The picklescan maintainers released version 0.0.29, which adds trace.Trace.run to the set of detected dangerous callables. Refer to the GitHub Security Advisory GHSA-5qwp-399c-mjwf for the full remediation notes and commit references.

Workarounds

  • Avoid loading pickle files from untrusted sources; prefer safer serialization formats such as safetensors for ML model weights
  • Run pickle.load operations inside sandboxed processes with no network access and minimal filesystem privileges
  • Combine picklescan results with independent static analysis and behavioral monitoring rather than relying on a single scanner verdict
bash
# Configuration example
pip install --upgrade "picklescan>=0.0.29"
picklescan --path ./models --json > scan_report.json

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.