Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71357

CVE-2025-71357: picklescan RCE Vulnerability

CVE-2025-71357 is a remote code execution vulnerability in picklescan before version 0.0.30 that fails to detect malicious pickle files. Attackers can embed undetected code to execute remote commands. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-71357 Overview

CVE-2025-71357 affects picklescan versions before 0.0.30, a security scanner designed to detect malicious Python pickle files. The scanner fails to identify malicious payloads that use idlelib.pyshell.ModifiedInterpreter.runcommand within pickle __reduce__ methods. Attackers can craft pickle files containing this undetected gadget to execute arbitrary commands when victims load the file. The vulnerability is classified under [CWE-502] Deserialization of Untrusted Data. Machine learning pipelines and model-sharing platforms that rely on picklescan to validate downloaded models are directly exposed to supply chain compromise.

Critical Impact

Attackers can deliver pickle files that bypass picklescan detection and execute arbitrary code on systems that load the file, enabling remote code execution against ML practitioners and automated pipelines.

Affected Products

  • picklescan versions prior to 0.0.30
  • Python environments that import untrusted pickle files validated by picklescan
  • ML model distribution workflows relying on picklescan for security validation

Discovery Timeline

  • 2026-06-21 - CVE-2025-71357 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2025-71357

Vulnerability Analysis

The Python pickle module deserializes objects by invoking constructors and callables encoded in the serialized stream. When a class defines __reduce__, the pickle protocol calls the returned callable with the supplied arguments during pickle.load(). Any callable reachable from the Python standard library can therefore be invoked, including those that execute shell commands.

picklescan mitigates this risk by parsing pickle opcodes and flagging known dangerous callables such as os.system, subprocess.Popen, and builtins.exec. The scanner maintains a deny list of imports that indicate code execution intent. Versions before 0.0.30 omit idlelib.pyshell.ModifiedInterpreter.runcommand from this list. The runcommand method belongs to the standard library idlelib package and executes arbitrary Python source within the IDLE interpreter context.

Root Cause

The root cause is an incomplete deny list of dangerous imports inside picklescan. The scanner's static analysis enumerates risky callables but does not cover the full attack surface exposed by the Python standard library. Because idlelib.pyshell.ModifiedInterpreter.runcommand was not enumerated, pickle files referencing this gadget passed scanning as benign while still achieving arbitrary code execution on pickle.load().

Attack Vector

An attacker crafts a malicious pickle file whose __reduce__ method returns idlelib.pyshell.ModifiedInterpreter.runcommand together with a Python expression as its argument. The file is distributed through a model hub, Git repository, or other supply chain channel. The victim runs picklescan against the file, receives a clean result, and proceeds to load it. During deserialization, Python imports idlelib.pyshell and invokes runcommand, executing the attacker-supplied payload with the privileges of the loading process. User interaction is required because the victim must invoke the load operation, but no authentication is needed.

No verified public exploit code is available. See the GitHub Security Advisory and the VulnCheck Arbitrary Code Execution Advisory for technical details.

Detection Methods for CVE-2025-71357

Indicators of Compromise

  • Pickle files containing references to idlelib.pyshell or ModifiedInterpreter strings within the serialized opcode stream.
  • Python processes spawning unexpected child processes shortly after invoking pickle.load() or torch.load().
  • Loaded models or serialized artifacts importing idlelib modules outside an IDLE development context.

Detection Strategies

  • Run pickletools.dis() against suspect files and inspect GLOBAL and STACK_GLOBAL opcodes for any reference to idlelib or other interpreter-execution modules.
  • Upgrade picklescan to 0.0.30 or later and re-scan all previously approved pickle artifacts, including cached Hugging Face and PyTorch checkpoints.
  • Monitor Python interpreter processes for anomalous module imports of idlelib.pyshell during model loading workflows.

Monitoring Recommendations

  • Log all invocations of pickle.load, pickle.loads, joblib.load, and torch.load in production ML inference pipelines.
  • Alert on outbound network connections initiated by processes immediately after deserializing third-party artifacts.
  • Track integrity hashes of pickle files between scan time and load time to detect tampering after validation.

How to Mitigate CVE-2025-71357

Immediate Actions Required

  • Upgrade picklescan to version 0.0.30 or later across all developer workstations, CI pipelines, and model registries.
  • Rescan every pickle file currently trusted by the organization, including cached models pulled from public hubs.
  • Quarantine artifacts that reference idlelib.pyshell.ModifiedInterpreter.runcommand and investigate their provenance.

Patch Information

The picklescan maintainers released version 0.0.30 to add detection for the idlelib.pyshell.ModifiedInterpreter.runcommand gadget. Install the fixed release with pip install --upgrade picklescan>=0.0.30. Refer to the GitHub Security Advisory GHSA-j343-8v2j-ff7w for the authoritative fix details.

Workarounds

  • Avoid loading pickle files from untrusted sources and prefer safer formats such as safetensors for machine learning model distribution.
  • Load pickle files inside sandboxed environments with restricted filesystem, network, and process capabilities.
  • Implement a custom pickle.Unpickler.find_class allowlist that rejects idlelib and other non-essential modules during deserialization.
bash
# Configuration example
pip install --upgrade 'picklescan>=0.0.30'
picklescan --path ./models/suspect_model.pkl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.