CVE-2025-71359 Overview
CVE-2025-71359 is an insecure deserialization vulnerability in picklescan versions before 0.0.29. The scanner fails to detect malicious pickle payloads that abuse lib2to3.pgen2.grammar.Grammar.loads inside the __reduce__ method. Attackers can craft pickle files that embed dangerous code, evade picklescan static analysis, and execute arbitrary commands when the file is loaded via pickle.load(). The flaw is classified under CWE-502: Deserialization of Untrusted Data and directly impacts machine learning pipelines that rely on picklescan to vet third-party model files.
Critical Impact
Attackers can bypass picklescan detection to achieve remote code execution during deserialization of untrusted pickle or ML model files.
Affected Products
- picklescan versions prior to 0.0.29
- Machine learning pipelines using picklescan to validate untrusted pickle files
- Model hubs and repositories relying on picklescan as a safety gate
Discovery Timeline
- 2026-07-04 - CVE-2025-71359 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71359
Vulnerability Analysis
The picklescan project inspects pickle files for references to dangerous callables before deserialization. The tool maintains a list of known unsafe globals such as os.system, subprocess.Popen, and eval. Versions before 0.0.29 do not flag lib2to3.pgen2.grammar.Grammar.loads as a dangerous import. Because Grammar.loads internally invokes pickle.load on attacker-controlled bytes, it becomes a deserialization primitive that chains into arbitrary code execution.
Attackers embed the malicious global inside a pickle payload using the __reduce__ protocol. The scanner treats the payload as safe, but pickle.load() invokes Grammar.loads on nested attacker bytes, which deserializes a secondary pickle stream containing hostile reduce operations. This produces remote code execution on the loading system.
Root Cause
The root cause is an incomplete deny list of unsafe imports in picklescan. lib2to3.pgen2.grammar.Grammar.loads was not enumerated as a callable that performs deserialization. Any function that itself calls pickle.load or executes code must be treated as unsafe when reached through a pickle reduce operation.
Attack Vector
Exploitation requires a victim to load an attacker-supplied pickle file after picklescan clears it. Typical delivery paths include malicious model files distributed through public model hubs, shared datasets, or supply-chain compromise of ML dependencies. User interaction is required to load the file, but no authentication is needed to publish the payload.
The vulnerability mechanism involves crafting a pickle stream whose __reduce__ return value references lib2to3.pgen2.grammar.Grammar.loads with a nested pickle blob as its argument. See the GitHub Security Advisory GHSA-f54q-57x4-jg88 and the VulnCheck Advisory for the full technical write-up.
Detection Methods for CVE-2025-71359
Indicators of Compromise
- Pickle or model files that import lib2to3.pgen2.grammar or reference Grammar.loads in their opcode stream
- Unexpected child processes spawned by Python processes immediately after loading a .pkl, .pt, .bin, or .ckpt file
- Outbound network connections initiated by ML training or inference workers shortly after model load
Detection Strategies
- Statically scan pickle files with pickletools.dis and alert on any GLOBAL opcode referencing lib2to3 modules
- Upgrade to picklescan 0.0.29 or later, which extends the unsafe globals list to cover this bypass
- Prefer safer serialization formats such as safetensors for model distribution and treat pickle-based artifacts as untrusted code
Monitoring Recommendations
- Monitor Python interpreter processes for execve, fork, and unexpected shell invocations during model load operations
- Log and review all model downloads from third-party hubs, correlating file hashes against known-good baselines
- Alert on ML worker processes that establish outbound connections to non-approved destinations
How to Mitigate CVE-2025-71359
Immediate Actions Required
- Upgrade picklescan to version 0.0.29 or later across all environments, including CI, developer workstations, and inference servers
- Rescan any pickle or model files previously cleared by an older picklescan version before continued use
- Restrict loading of pickle artifacts to files sourced from trusted, signed repositories
Patch Information
The fix is available in picklescan 0.0.29, which adds lib2to3.pgen2.grammar.Grammar.loads to the set of dangerous globals. Install the patched release with pip install --upgrade picklescan>=0.0.29. Review the GitHub Security Advisory GHSA-f54q-57x4-jg88 for the full commit reference and validation guidance.
Workarounds
- Replace pickle-based model formats with safetensors or ONNX where feasible, eliminating the deserialization attack surface
- Load untrusted pickle files only inside isolated sandboxes such as gVisor, Firecracker, or ephemeral containers without network access
- Enforce cryptographic signing and provenance checks (for example, Sigstore) on all model artifacts before deserialization
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.29'
# Verify the installed version
python -c "import picklescan; print(picklescan.__version__)"
# Rescan a suspect model file
picklescan --path suspicious_model.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

