Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71352

CVE-2025-71352: picklescan RCE Vulnerability

CVE-2025-71352 is a remote code execution flaw in picklescan before version 0.0.29 that allows attackers to bypass detection and execute arbitrary code. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-71352 Overview

CVE-2025-71352 affects picklescan versions before 0.0.29, a security scanner designed to detect malicious code in Python pickle files. The scanner fails to identify the built-in Python trace.Trace.runctx function when it appears in pickle __reduce__ methods. Attackers can craft malicious pickle files containing trace.Trace.runctx payloads that bypass picklescan detection and execute arbitrary code when pickle.load() is invoked. The flaw impacts machine learning workflows that rely on picklescan to validate untrusted model files distributed through repositories such as Hugging Face.

Critical Impact

Remote attackers can achieve arbitrary code execution on systems that trust picklescan output before loading pickle-serialized data or ML models.

Affected Products

  • picklescan versions prior to 0.0.29
  • Python applications relying on picklescan for pickle validation
  • Machine learning pipelines ingesting third-party pickle-serialized models

Discovery Timeline

  • 2026-06-30 - CVE-2025-71352 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2025-71352

Vulnerability Analysis

The vulnerability is a protection mechanism failure [CWE-693] in picklescan, a tool that inspects pickle files for dangerous callables before deserialization. The scanner maintains a denylist of Python functions considered unsafe when invoked via the pickle __reduce__ protocol. The list omits trace.Trace.runctx, a standard library function that executes arbitrary Python code within a tracing context. Attackers exploit this gap to smuggle executable payloads past the scanner while the file continues to appear safe.

Root Cause

The root cause is incomplete coverage of dangerous callables in the picklescan detection logic. The trace.Trace.runctx method accepts a code string and a globals dictionary, then executes the code under the tracer. Because pickle __reduce__ methods can return arbitrary callables with arguments, an attacker can reference trace.Trace.runctx and supply an inline Python payload. The scanner walks the pickle opcodes without flagging this function, so downstream pickle.load() calls execute the attacker's code.

Attack Vector

Exploitation requires a victim to load an attacker-supplied pickle file, typically distributed as an ML model or serialized data object. When the victim invokes pickle.load() after receiving a clean scan report from picklescan, the Python interpreter resolves the reduce tuple and calls trace.Trace.runctx with attacker-controlled code. Execution occurs in the context of the loading process, giving the attacker the same privileges as the user running the Python application.

A description of the exploitation path is available in the VulnCheck Remote Code Execution Advisory and the GitHub Security Advisory.

Detection Methods for CVE-2025-71352

Indicators of Compromise

  • Pickle files whose disassembly (pickletools.dis) references the trace module or trace.Trace.runctx.
  • Python processes spawning unexpected child processes immediately after a pickle.load() call.
  • Outbound network connections initiated by scripts that only load serialized model files.
  • Presence of picklescan releases below 0.0.29 in project dependency manifests.

Detection Strategies

  • Inspect pickle files with pickletools.dis() and search for GLOBAL opcodes referencing modules outside an allowlist such as numpy, torch, or sklearn.
  • Re-scan previously validated pickle files with picklescan0.0.29 or later to identify artifacts that pass older versions but fail current detection.
  • Monitor endpoints and workload telemetry for anomalous Python child process creation, sys.settrace activity, or code execution originating from data-loading routines.

Monitoring Recommendations

  • Alert on installations or lockfile entries pinning picklescan<0.0.29 across CI pipelines and developer workstations.
  • Log and review pickle.load() and torch.load() invocations in production inference services.
  • Correlate model-file downloads from external registries with subsequent process and network activity for anomaly review.

How to Mitigate CVE-2025-71352

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later across all environments that validate pickle files.
  • Rescan every previously trusted pickle or ML model artifact using the patched scanner before further use.
  • Quarantine or discard pickle files sourced from untrusted publishers until validated by the updated scanner.

Patch Information

The fix ships in picklescan0.0.29, which adds trace.Trace.runctx to the set of dangerous callables detected during scanning. Details are published in the GitHub Security Advisory GHSA-g344-hcph-8vgg.

Workarounds

  • Avoid pickle.load() on files from untrusted sources; prefer safer formats such as safetensors for model weights.
  • Load pickle content only inside sandboxed containers with restricted network egress and no privileged mounts.
  • Combine picklescan with a secondary allowlist-based loader that whitelists specific GLOBAL references rather than relying on denylist detection alone.
bash
# Configuration example
pip install --upgrade "picklescan>=0.0.29"
picklescan --path ./models --verbose

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.