Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71353

CVE-2025-71353: Picklescan RCE Vulnerability

CVE-2025-71353 is a remote code execution flaw in picklescan that allows attackers to bypass detection using malicious pickle files. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71353 Overview

CVE-2025-71353 affects picklescan versions before 0.0.28, a security tool that scans Python pickle files for malicious content. The scanner fails to detect pickle payloads that abuse the torch._dynamo.guards.GuardBuilder.get function inside __reduce__ methods. Attackers can craft pickle files that bypass picklescan detection and execute arbitrary commands when the file is loaded through pickle.load or torch.load. The flaw is classified as insecure deserialization [CWE-502] and is relevant to machine learning workflows that consume third-party model files from repositories such as Hugging Face.

Critical Impact

Attackers can distribute malicious PyTorch model files that evade picklescan scanning and achieve arbitrary code execution on any system that loads the model.

Affected Products

  • picklescan versions prior to 0.0.28
  • Machine learning pipelines that rely on picklescan to validate PyTorch model files
  • Downstream tooling that integrates picklescan as a pre-load safety check

Discovery Timeline

  • 2026-07-04 - CVE-2025-71353 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2025-71353

Vulnerability Analysis

The Python pickle format allows objects to define a __reduce__ method that returns a callable and its arguments. During deserialization, the callable is executed with those arguments. Scanners such as picklescan maintain an allowlist and denylist of imports observed in pickle opcodes to flag dangerous constructs like os.system or subprocess.Popen.

picklescan before 0.0.28 does not recognize torch._dynamo.guards.GuardBuilder.get as a dangerous import. Attackers embed this function as the reduce callable and pass a payload that ultimately triggers arbitrary code execution when PyTorch resolves the guard. Because the scanner reports the file as clean, downstream loaders proceed with pickle.load and the payload runs in the context of the loading process.

The vulnerability requires user interaction: a victim must load an attacker-supplied pickle or model file. Delivery typically occurs through public model hubs, shared datasets, or supply chain compromise of trusted repositories.

Root Cause

The root cause is an incomplete denylist inside picklescan. The scanner enumerates known-dangerous globals but omits torch._dynamo.guards.GuardBuilder.get, which provides an attacker-controlled code path reachable through PyTorch internals. This is a classic deserialization filter bypass [CWE-502].

Attack Vector

An attacker publishes a PyTorch model or standalone pickle file containing a __reduce__ payload that references torch._dynamo.guards.GuardBuilder.get. The victim scans the file with a vulnerable picklescan release, receives a clean verdict, and then loads the file with torch.load or pickle.load. Arbitrary commands execute with the privileges of the loading process. See the GitHub Security Advisory GHSA-86cj-95qr-2p4f and the VulnCheck Security Advisory for the payload structure and reproduction details.

Detection Methods for CVE-2025-71353

Indicators of Compromise

  • Pickle or PyTorch model files whose opcode stream references torch._dynamo.guards.GuardBuilder.get inside a REDUCE operation.
  • Python processes spawning shells, curl, wget, or interpreter children immediately after invoking torch.load or pickle.load.
  • Model files sourced from untrusted hubs that pass a picklescan release older than 0.0.28.

Detection Strategies

  • Run pickletools.dis against suspect files and search for GLOBAL 'torch._dynamo.guards GuardBuilder.get' prior to any REDUCE opcode.
  • Upgrade to picklescan0.0.28 or later and rescan any previously approved model artifacts.
  • Instrument ML build systems to reject pickle files containing globals outside an explicit allowlist rather than relying solely on denylists.

Monitoring Recommendations

  • Alert on outbound network connections initiated by Python processes that recently loaded a model file.
  • Log file loads performed by data science workloads and correlate with process ancestry to catch unexpected child processes.
  • Track picklescan versions across CI/CD runners and developer workstations to identify vulnerable installations.

How to Mitigate CVE-2025-71353

Immediate Actions Required

  • Upgrade picklescan to version 0.0.28 or later across all environments that scan model files.
  • Re-scan every model artifact previously validated by an older picklescan release before allowing further use.
  • Restrict model ingestion to signed or internally reviewed sources until scanners are updated.

Patch Information

The issue is fixed in picklescan0.0.28. Install the patched release with pip install --upgrade picklescan>=0.0.28. Details are published in the GitHub Security Advisory GHSA-86cj-95qr-2p4f.

Workarounds

  • Prefer safer serialization formats such as safetensors for model weight distribution.
  • Load untrusted pickle content only inside sandboxed, network-isolated containers with no persistent credentials.
  • Enforce an allowlist of permitted globals using a custom pickle.Unpickler.find_class implementation instead of relying only on scanner denylists.
bash
# Configuration example
pip install --upgrade "picklescan>=0.0.28"
picklescan --path ./models --recursive

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.