Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71356

CVE-2025-71356: picklescan RCE Vulnerability Detected

CVE-2025-71356 is a remote code execution vulnerability in picklescan before version 0.0.28 that allows attackers to embed malicious code in pickle files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71356 Overview

CVE-2025-71356 is an insecure deserialization vulnerability [CWE-502] in picklescan versions before 0.0.28. The scanner fails to detect malicious calls to torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression embedded in pickle files. Attackers can craft pickle files containing hidden code that executes when a victim loads the file, bypassing picklescan's static analysis. The flaw affects machine learning workflows that rely on picklescan to validate untrusted model files before deserialization with PyTorch.

Critical Impact

Attackers can distribute weaponized model files that pass picklescan validation and achieve arbitrary code execution on systems that load them.

Affected Products

  • picklescan versions prior to 0.0.28
  • PyTorch workflows that depend on picklescan for pre-load validation
  • Machine learning pipelines consuming untrusted pickle-based model artifacts

Discovery Timeline

  • 2026-07-04 - CVE-2025-71356 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2025-71356

Vulnerability Analysis

picklescan is a static scanner that inspects pickle files for references to dangerous callables before deserialization. It maintains an allow/deny list of module paths and function names considered safe or unsafe. The scanner does not flag torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression, treating it as benign. That function, however, evaluates expression strings supplied through pickle input and can be steered to execute attacker-controlled Python code during unpickling.

The issue is a coverage gap in the deny list rather than a parser bug. Any pickle file that resolves ShapeEnv.evaluate_guards_expression through the GLOBAL opcode and invokes it with a crafted expression will pass the scan. When the victim subsequently calls torch.load() or pickle.load(), the reduced function executes, yielding remote code execution with the privileges of the loading process.

Root Cause

The root cause is an incomplete inventory of unsafe callables within PyTorch's torch.fx.experimental.symbolic_shapes module. picklescan versions before 0.0.28 do not recognize evaluate_guards_expression as a code-execution sink, so pickle streams referencing it are marked safe.

Attack Vector

Exploitation requires a victim to download and load a malicious pickle file, typically a PyTorch model checkpoint distributed through a model hub, shared repository, or supply chain artifact. The attacker embeds a REDUCE instruction that invokes ShapeEnv.evaluate_guards_expression with a payload string. Because the scanner clears the file, the developer or automation pipeline proceeds to torch.load() and the payload executes. See the GitHub Security Advisory GHSA-f4x7-rfwp-v3xw and the VulnCheck advisory for further technical detail.

Detection Methods for CVE-2025-71356

Indicators of Compromise

  • Pickle or PyTorch model files containing the string torch.fx.experimental.symbolic_shapes combined with evaluate_guards_expression
  • Unexpected child processes spawned by Python interpreters shortly after torch.load() or pickle.load() calls
  • Outbound network connections initiated by ML training or inference workers immediately after model loading
  • Model artifacts sourced from untrusted hubs whose SHA256 hashes do not match publisher-provided values

Detection Strategies

  • Statically inspect pickle files with pickletools.dis() and flag any GLOBAL opcodes referencing torch.fx.experimental.symbolic_shapes
  • Upgrade to picklescan0.0.28 or later and re-scan any previously validated model repositories
  • Add EDR behavioral rules that alert when python or python3 processes execute shells, curl, wget, or write to autostart locations after loading model files

Monitoring Recommendations

  • Log all model file ingestion events in ML pipelines with source URL, hash, and scanner version
  • Correlate process-execution telemetry from Singularity Endpoint with model-loading events to surface post-deserialization anomalies
  • Ingest pipeline and endpoint logs into Singularity Data Lake to hunt across historical model loads for references to evaluate_guards_expression

How to Mitigate CVE-2025-71356

Immediate Actions Required

  • Upgrade picklescan to version 0.0.28 or later across developer workstations, CI runners, and production ML infrastructure
  • Re-scan all cached and stored pickle model files with the updated scanner and quarantine any that reference ShapeEnv.evaluate_guards_expression
  • Restrict model downloads to vetted internal registries and verify publisher signatures or hashes before use

Patch Information

The maintainers addressed the gap in picklescan0.0.28 by adding torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression to the unsafe-globals list. Refer to the GitHub Security Advisory GHSA-f4x7-rfwp-v3xw for the fix commit and release notes.

Workarounds

  • Prefer the safetensors format over pickle-based checkpoints wherever supported by the model
  • Load untrusted models inside sandboxed containers with no network egress and non-root users
  • Use torch.load(..., weights_only=True) on PyTorch versions that support it to restrict deserialization to tensor data
bash
# Upgrade picklescan and re-scan model directory
pip install --upgrade 'picklescan>=0.0.28'
picklescan --path /models --recursive

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.