Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71359

CVE-2025-71359: picklescan RCE Vulnerability

CVE-2025-71359 is a remote code execution flaw in picklescan before 0.0.29 that allows attackers to bypass detection using crafted pickle payloads. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71359 Overview

CVE-2025-71359 is an insecure deserialization vulnerability in picklescan versions before 0.0.29. The scanner fails to detect malicious pickle payloads that abuse lib2to3.pgen2.grammar.Grammar.loads inside the __reduce__ method. Attackers can craft pickle files that embed dangerous code, evade picklescan static analysis, and execute arbitrary commands when the file is loaded via pickle.load(). The flaw is classified under CWE-502: Deserialization of Untrusted Data and directly impacts machine learning pipelines that rely on picklescan to vet third-party model files.

Critical Impact

Attackers can bypass picklescan detection to achieve remote code execution during deserialization of untrusted pickle or ML model files.

Affected Products

  • picklescan versions prior to 0.0.29
  • Machine learning pipelines using picklescan to validate untrusted pickle files
  • Model hubs and repositories relying on picklescan as a safety gate

Discovery Timeline

  • 2026-07-04 - CVE-2025-71359 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2025-71359

Vulnerability Analysis

The picklescan project inspects pickle files for references to dangerous callables before deserialization. The tool maintains a list of known unsafe globals such as os.system, subprocess.Popen, and eval. Versions before 0.0.29 do not flag lib2to3.pgen2.grammar.Grammar.loads as a dangerous import. Because Grammar.loads internally invokes pickle.load on attacker-controlled bytes, it becomes a deserialization primitive that chains into arbitrary code execution.

Attackers embed the malicious global inside a pickle payload using the __reduce__ protocol. The scanner treats the payload as safe, but pickle.load() invokes Grammar.loads on nested attacker bytes, which deserializes a secondary pickle stream containing hostile reduce operations. This produces remote code execution on the loading system.

Root Cause

The root cause is an incomplete deny list of unsafe imports in picklescan. lib2to3.pgen2.grammar.Grammar.loads was not enumerated as a callable that performs deserialization. Any function that itself calls pickle.load or executes code must be treated as unsafe when reached through a pickle reduce operation.

Attack Vector

Exploitation requires a victim to load an attacker-supplied pickle file after picklescan clears it. Typical delivery paths include malicious model files distributed through public model hubs, shared datasets, or supply-chain compromise of ML dependencies. User interaction is required to load the file, but no authentication is needed to publish the payload.

The vulnerability mechanism involves crafting a pickle stream whose __reduce__ return value references lib2to3.pgen2.grammar.Grammar.loads with a nested pickle blob as its argument. See the GitHub Security Advisory GHSA-f54q-57x4-jg88 and the VulnCheck Advisory for the full technical write-up.

Detection Methods for CVE-2025-71359

Indicators of Compromise

  • Pickle or model files that import lib2to3.pgen2.grammar or reference Grammar.loads in their opcode stream
  • Unexpected child processes spawned by Python processes immediately after loading a .pkl, .pt, .bin, or .ckpt file
  • Outbound network connections initiated by ML training or inference workers shortly after model load

Detection Strategies

  • Statically scan pickle files with pickletools.dis and alert on any GLOBAL opcode referencing lib2to3 modules
  • Upgrade to picklescan 0.0.29 or later, which extends the unsafe globals list to cover this bypass
  • Prefer safer serialization formats such as safetensors for model distribution and treat pickle-based artifacts as untrusted code

Monitoring Recommendations

  • Monitor Python interpreter processes for execve, fork, and unexpected shell invocations during model load operations
  • Log and review all model downloads from third-party hubs, correlating file hashes against known-good baselines
  • Alert on ML worker processes that establish outbound connections to non-approved destinations

How to Mitigate CVE-2025-71359

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later across all environments, including CI, developer workstations, and inference servers
  • Rescan any pickle or model files previously cleared by an older picklescan version before continued use
  • Restrict loading of pickle artifacts to files sourced from trusted, signed repositories

Patch Information

The fix is available in picklescan 0.0.29, which adds lib2to3.pgen2.grammar.Grammar.loads to the set of dangerous globals. Install the patched release with pip install --upgrade picklescan>=0.0.29. Review the GitHub Security Advisory GHSA-f54q-57x4-jg88 for the full commit reference and validation guidance.

Workarounds

  • Replace pickle-based model formats with safetensors or ONNX where feasible, eliminating the deserialization attack surface
  • Load untrusted pickle files only inside isolated sandboxes such as gVisor, Firecracker, or ephemeral containers without network access
  • Enforce cryptographic signing and provenance checks (for example, Sigstore) on all model artifacts before deserialization
bash
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.29'

# Verify the installed version
python -c "import picklescan; print(picklescan.__version__)"

# Rescan a suspect model file
picklescan --path suspicious_model.pkl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.