CVE-2025-71354 Overview
CVE-2025-71354 is an insecure deserialization vulnerability [CWE-502] in picklescan versions before 0.0.29. The scanner fails to detect malicious pickle files that abuse the idlelib.debugobj.ObjectTreeItem.SetText function inside __reduce__ methods. Attackers craft pickle payloads that pass picklescan inspection and execute arbitrary commands when pickle.load() is invoked on the file. The flaw undermines the security guarantees that picklescan provides for machine learning model distribution platforms and pipelines that rely on it to vet untrusted pickle artifacts.
Critical Impact
Attackers can distribute malicious pickle files, including ML model weights, that bypass picklescan checks and achieve arbitrary code execution on systems that deserialize them.
Affected Products
- picklescan versions prior to 0.0.29
- Machine learning workflows that use picklescan to validate pickle or PyTorch model files
- Model registries and inference systems that ingest third-party pickle artifacts
Discovery Timeline
- 2026-06-24 - CVE-2025-71354 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2025-71354
Vulnerability Analysis
The Python pickle format allows objects to define a __reduce__ method that returns a callable and its arguments. When the object is deserialized, that callable is invoked. Static scanners such as picklescan work by enumerating opcodes and the global symbols they reference, then comparing those symbols against an allow or deny list.
picklescan before 0.0.29 does not flag references to idlelib.debugobj.ObjectTreeItem.SetText. This function, shipped with the standard CPython distribution under idlelib, can be reached via a crafted reduce payload and chained into arbitrary code execution. Because the symbol is not on the scanner's list of dangerous imports, malicious files are reported as clean.
Root Cause
The root cause is an incomplete denylist of dangerous Python globals in picklescan. The scanner enumerates known unsafe callables, but missed callables exposed by idlelib. The idlelib.debugobj.ObjectTreeItem.SetText symbol can be invoked during unpickling and used to evaluate attacker-controlled content. This is a classic deserialization weakness [CWE-502] compounded by an allowlist or denylist that does not cover the full standard library attack surface.
Attack Vector
An attacker publishes a pickle file, typically packaged as a machine learning model checkpoint, on a model hub, file share, or repository. A defender or automated pipeline runs picklescan against the file, which reports no malicious content. When a downstream consumer calls pickle.load() or torch.load() on the file, the embedded __reduce__ payload invokes idlelib.debugobj.ObjectTreeItem.SetText and executes arbitrary commands under the user account that loaded the file. User interaction is required, since a victim must choose to deserialize the supplied file.
No verified public exploit code is referenced in the advisories. Technical details are documented in the GitHub Security Advisory GHSA-3vg9-h568-4w9m and the VulnCheck Advisory on PickleScan.
Detection Methods for CVE-2025-71354
Indicators of Compromise
- Pickle or PyTorch model files containing references to idlelib.debugobj or ObjectTreeItem.SetText in their opcode stream.
- Python processes spawning child shells such as sh, bash, cmd.exe, or powershell.exe shortly after loading a model file.
- Unexpected network connections initiated by Python interpreters that have just executed pickle.load() or torch.load().
- picklescan runs that report a file as clean while downstream sandbox analysis flags the same file as malicious.
Detection Strategies
- Inspect pickle files with pickletools.dis() and alert on any GLOBAL or STACK_GLOBAL opcode that imports from idlelib, os, subprocess, runpy, pty, or other code-execution-capable modules.
- Update to picklescan0.0.29 or later, which adds the missing symbol coverage, and rescan previously cleared artifacts.
- Compare scan results between picklescan and at least one additional pickle inspection tool to catch denylist gaps.
Monitoring Recommendations
- Log every invocation of pickle.load, pickle.loads, and torch.load in ML services and ship those logs to centralized analytics for correlation with process and network telemetry.
- Monitor model registry uploads for file authors or repositories that have not previously contributed, and require sandbox detonation before promotion.
- Track process trees rooted at Python interpreters used for model serving and alert on unexpected child processes.
How to Mitigate CVE-2025-71354
Immediate Actions Required
- Upgrade picklescan to version 0.0.29 or later across developer workstations, CI pipelines, and model ingestion services.
- Rescan all pickle and PyTorch artifacts previously cleared by older picklescan versions and quarantine files that now trigger alerts.
- Restrict the loading of third-party pickle files to sandboxed environments with no production credentials and no outbound network access.
- Prefer safer serialization formats such as safetensors for model weights where feasible.
Patch Information
The maintainers fixed the issue in picklescan0.0.29 by extending the set of recognized dangerous globals to include idlelib.debugobj.ObjectTreeItem.SetText. Refer to the GitHub Security Advisory GHSA-3vg9-h568-4w9m for the authoritative fix details and the VulnCheck Advisory on PickleScan for additional context.
Workarounds
- Block or denylist imports of idlelib in unpickling contexts using a custom pickle.Unpickler subclass that overrides find_class.
- Execute pickle deserialization only inside ephemeral containers or virtual machines with no access to secrets or production networks.
- Require cryptographic signatures on internally produced model files and reject any unsigned pickle file at load time.
# Upgrade picklescan to a fixed version
pip install --upgrade 'picklescan>=0.0.29'
# Re-scan a directory of model files after upgrading
picklescan --path ./models
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

