CVE-2025-71355 Overview
CVE-2025-71355 affects picklescan versions before 0.0.25, a static analysis tool designed to detect unsafe operations in Python pickle files. The scanner fails to flag unsafe global functions exposed by the NumPy library. Attackers can craft malicious pickle files that invoke numpy.testing._private.utils.runstring inside the __reduce__ method. When a victim loads the pickle, the payload imports dangerous modules such as os and executes arbitrary operating system commands. The flaw is classified under CWE-184: Incomplete List of Disallowed Inputs.
Critical Impact
Malicious pickle files bypass picklescan static analysis and achieve arbitrary code execution when loaded, threatening machine learning pipelines that trust the scanner's verdict.
Affected Products
- picklescan versions prior to 0.0.25
- Machine learning workflows that rely on picklescan to vet untrusted pickle or model artifacts
- Downstream tools and CI pipelines that gate model ingestion on picklescan results
Discovery Timeline
- 2026-06-30 - CVE-2025-71355 published to the National Vulnerability Database
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2025-71355
Vulnerability Analysis
picklescan maintains a denylist of global functions considered unsafe during pickle deserialization. The denylist omits numpy.testing._private.utils.runstring, which evaluates a supplied string as Python code. A pickle file that references this global as its reduction target executes attacker-controlled Python when pickle.load reconstructs the object. Because the scanner reports the file as safe, downstream consumers proceed with deserialization and trigger the payload. The issue is a detection gap rather than a flaw in the pickle protocol itself, which means every application that treats a clean picklescan result as authorization to load an artifact inherits the risk.
Root Cause
The root cause is an incomplete disallowed-function list. picklescan did not enumerate the NumPy testing internals that provide dynamic code evaluation. Any function reachable through a pickle reducer that maps to Python execution primitives constitutes a bypass. The maintainers addressed the gap in version 0.0.25 by extending detection to cover the NumPy runstring path.
Attack Vector
Exploitation requires an attacker to deliver a crafted pickle or serialized model file to a victim environment, typically through a model hub, shared dataset, or supply chain artifact. The victim must load the pickle after picklescan reports it as safe. On load, Python invokes the object's __reduce__ result, which calls numpy.testing._private.utils.runstring with a string that imports os and issues shell commands. The full vulnerability mechanism is documented in the GitHub Security Advisory GHSA-fj43-3qmq-673f and the VulnCheck advisory on Picklescan. No verified public exploit code is referenced in the enriched data.
Detection Methods for CVE-2025-71355
Indicators of Compromise
- Pickle or model files whose disassembly shows a GLOBAL opcode referencing numpy.testing._private.utils.runstring.
- Python processes that spawn shell interpreters (sh, bash, cmd.exe) as direct children of model-loading scripts.
- Outbound network connections initiated by data science workers immediately after loading a third-party model artifact.
Detection Strategies
- Run pickletools.dis against untrusted pickle files and alert on any reference to numpy.testing, numpy.core, or other reflective evaluation paths.
- Upgrade static analysis to picklescan0.0.25 or later and re-scan the artifact repository to identify previously cleared files that are now flagged.
- Correlate model-loading events with subsequent process creation and network telemetry to catch execution that follows a benign scanner verdict.
Monitoring Recommendations
- Log every invocation of pickle.load, torch.load, joblib.load, and numpy.load(allow_pickle=True) in production Python workloads.
- Monitor CI/CD systems for downloads from public model hubs and retain hashes of ingested artifacts for retroactive scanning.
- Alert when Python interpreters that host inference workloads execute os.system, subprocess.Popen, or DNS lookups outside expected destinations.
How to Mitigate CVE-2025-71355
Immediate Actions Required
- Upgrade picklescan to version 0.0.25 or later across developer workstations, build agents, and production scanners.
- Rescan every pickle, .pt, .pkl, .joblib, and NumPy artifact previously cleared by an earlier picklescan release.
- Quarantine any model file that references numpy.testing._private.utils.runstring or other dynamic evaluation globals until a manual review completes.
Patch Information
The fix ships in picklescan0.0.25. The maintainers extended the unsafe-globals list to cover numpy.testing._private.utils.runstring and related NumPy reflective helpers. Details are published in the GitHub Security Advisory GHSA-fj43-3qmq-673f.
Workarounds
- Treat pickle files from untrusted sources as executable code and refuse to load them, favoring safer formats such as safetensors for model weights.
- Load suspect pickles only inside isolated sandboxes with no network egress, minimal filesystem access, and short-lived credentials.
- Pin numpy and other dependencies to reviewed versions and remove unused testing modules from production images to shrink the reachable attack surface.
# Configuration example
pip install --upgrade 'picklescan>=0.0.25'
picklescan --path ./models --json > scan-report.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

