Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71358

CVE-2025-71358: picklescan RCE Vulnerability

CVE-2025-71358 is a remote code execution flaw in picklescan before 0.0.29 that fails to detect malicious pickle files exploiting idlelib.autocomplete. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71358 Overview

CVE-2025-71358 is an insecure deserialization weakness affecting picklescan versions prior to 0.0.29. The tool fails to detect malicious pickle files that abuse the idlelib.autocomplete.AutoComplete.get_entity function inside pickle __reduce__ methods. Attackers can embed code that evades picklescan static analysis and executes arbitrary commands when victims load the file with pickle.load(). The flaw is tracked under CWE-502: Deserialization of Untrusted Data. It poses a supply chain risk to machine learning pipelines that rely on picklescan to vet model artifacts distributed through Hugging Face and similar repositories.

Critical Impact

Attackers can ship malicious pickle-based model files that bypass picklescan scanning and run arbitrary code on developer or production systems during model load.

Affected Products

  • picklescan versions before 0.0.29
  • Python applications and ML pipelines that rely on picklescan to validate untrusted pickle or model files
  • Downstream tooling that imports picklescan as a safety gate before calling pickle.load()

Discovery Timeline

  • 2026-06-22 - CVE-2025-71358 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2025-71358

Vulnerability Analysis

picklescan inspects pickle bytecode for references to known dangerous callables before deserialization. Versions prior to 0.0.29 do not flag idlelib.autocomplete.AutoComplete.get_entity as unsafe. Attackers reference this function inside a __reduce__ method on a class they pickle. When a victim loads the file with pickle.load(), the Python runtime invokes the referenced callable with attacker-controlled arguments, leading to arbitrary command execution in the victim process. The exploit requires the victim to load an untrusted pickle file, which is common in machine learning workflows that consume third-party model checkpoints.

Root Cause

The root cause is an incomplete denylist inside picklescan. The scanner enumerates known-dangerous module and attribute pairs but omitted the idlelib.autocomplete path. Because pickle deserialization resolves any importable attribute referenced in REDUCE opcodes, any missing entry in the denylist becomes a bypass primitive. This is a recurring pattern in pickle scanners and reflects the broader insecurity of pickle as a format for untrusted data.

Attack Vector

An attacker publishes a crafted pickle or model file to a public repository, container image, or shared storage location. The file passes picklescan checks and appears safe. When a developer, CI pipeline, or inference service calls pickle.load() or higher-level loaders such as torch.load() on the file, the embedded __reduce__ payload triggers idlelib.autocomplete.AutoComplete.get_entity to execute attacker-supplied code. No authentication is required and user interaction is limited to loading the file. See the GitHub Security Advisory GHSA-6w4w-5w54-rjvr and the VulnCheck advisory for additional technical context.

Detection Methods for CVE-2025-71358

Indicators of Compromise

  • Pickle or model files that import idlelib.autocomplete or reference AutoComplete.get_entity in their opcode stream
  • Python processes spawning unexpected child processes such as sh, bash, cmd.exe, or powershell.exe immediately after a pickle.load() or torch.load() call
  • Outbound network connections originating from model loading services or Jupyter kernels shortly after ingesting an external .pkl, .bin, or .pt file

Detection Strategies

  • Statically inspect pickle files with pickletools.dis() and flag any GLOBAL or STACK_GLOBAL opcode referencing idlelib modules
  • Upgrade scanners and add custom rules that treat any idlelib.* reference inside untrusted pickles as malicious
  • Hunt for process trees where Python interpreters running model-serving code launch shells or scripting hosts

Monitoring Recommendations

  • Log every invocation of pickle.load, pickle.loads, and torch.load in production inference services and correlate with file provenance
  • Alert on Python processes loading the idlelib package outside of IDLE itself, which is uncommon in server environments
  • Track installations of picklescan across developer and CI hosts and alert when versions below 0.0.29 are observed

How to Mitigate CVE-2025-71358

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later across all developer workstations, CI runners, and model registries
  • Re-scan any third-party pickle or model artifacts ingested before the upgrade using the patched picklescan release
  • Avoid calling pickle.load() on files received from untrusted sources, even after scanning, and prefer formats such as safetensors

Patch Information

The maintainers fixed the issue in picklescan0.0.29 by extending the denylist to cover the idlelib.autocomplete.AutoComplete.get_entity gadget. Refer to the GitHub Security Advisory GHSA-6w4w-5w54-rjvr for the official remediation notes and to the VulnCheck advisory for the disclosure timeline.

Workarounds

  • Migrate model serialization to safetensors, which does not execute code during load
  • Run model loading in sandboxed, network-restricted containers with read-only filesystems and minimal egress
  • Maintain an allowlist of trusted publishers and verify cryptographic signatures on model artifacts before deserialization
bash
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.29'

# Verify the installed version
python -c "import picklescan, sys; print(picklescan.__version__)"

# Inspect a suspicious pickle file for idlelib references before loading
python -m pickletools suspicious_model.pkl | grep -i idlelib

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.