Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71360

CVE-2025-71360: picklescan RCE Vulnerability Detected

CVE-2025-71360 is a remote code execution vulnerability in picklescan before version 0.0.29 that fails to detect malicious pickle files. Attackers exploit this to execute arbitrary commands. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-71360 Overview

CVE-2025-71360 affects picklescan versions prior to 0.0.29, a security scanner designed to detect malicious Python pickle files. The scanner fails to flag pickle payloads that abuse the idlelib.calltip.get_entity function inside __reduce__ methods. Attackers can craft pickle files that pass picklescan validation while executing arbitrary code when deserialized by a victim. The flaw maps to CWE-502: Deserialization of Untrusted Data and enables remote code execution in machine learning pipelines that rely on picklescan as a safety gate for downloaded model artifacts.

Critical Impact

Attackers can distribute weaponized pickle or ML model files that bypass picklescan detection and execute arbitrary commands on victim systems during model loading.

Affected Products

  • picklescan versions before 0.0.29
  • Python machine learning workflows relying on picklescan for pickle validation
  • Model repositories and pipelines ingesting untrusted .pkl, .pt, or similar pickle-backed artifacts

Discovery Timeline

  • 2026-07-04 - CVE-2025-71360 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2025-71360

Vulnerability Analysis

picklescan inspects pickle bytecode for references to functions and classes known to enable code execution during deserialization. The scanner maintains an allowlist and blocklist of imports invoked through opcodes such as GLOBAL and STACK_GLOBAL. The function idlelib.calltip.get_entity was not included in the blocklist. idlelib.calltip.get_entity accepts an expression string and evaluates it using eval(), which allows arbitrary Python execution. A pickle file that references this function through a __reduce__ method passes picklescan inspection and executes attacker-controlled code when pickle.load() or a wrapping loader such as torch.load() processes the payload.

Root Cause

The root cause is an incomplete blocklist of dangerous callables inside picklescan. The scanner enumerates known sinks such as os.system, subprocess.Popen, and builtins.eval, but it did not account for indirect execution primitives shipped in the Python standard library. idlelib.calltip.get_entity internally invokes eval() against caller-supplied input, providing an equivalent code-execution primitive that the scanner treated as benign.

Attack Vector

An attacker publishes a malicious pickle file, for example a Python-serialized machine learning model on a public model hub or artifact registry. The pickle defines a class whose __reduce__ method returns (idlelib.calltip.get_entity, ("__import__('os').system('id')",)). A victim downloads the artifact and runs picklescan against it as part of a supply-chain safety check. The scanner reports the file as clean because idlelib.calltip.get_entity is not on its dangerous-imports list. When the victim then deserializes the file, the pickle machinery calls get_entity, which passes the attacker string to eval() and executes remote commands under the victim's user context. The attack requires user interaction to load the payload but no authentication or elevated privileges. See the GitHub Security Advisory and VulnCheck Advisory for the referenced technique.

Detection Methods for CVE-2025-71360

Indicators of Compromise

  • Pickle files containing GLOBAL or STACK_GLOBAL opcodes referencing idlelib.calltip or the get_entity symbol.
  • Unexpected child processes spawned from Python interpreters immediately after pickle.load, joblib.load, or torch.load calls.
  • Outbound network connections from ML training or inference hosts shortly after ingesting third-party model artifacts.

Detection Strategies

  • Inspect pickle files with pickletools.dis() and alert on any reference to idlelib, which has no legitimate role in serialized models or data objects.
  • Upgrade to picklescan0.0.29 or later and rerun scans across cached model artifacts and object stores.
  • Correlate model-loading events with process-creation and network telemetry to surface deserialization-driven execution.

Monitoring Recommendations

  • Log all Python processes that import idlelib.calltip outside interactive IDLE sessions.
  • Monitor file writes and process launches originating from data-science workloads, notebook servers, and MLOps runners.
  • Track ingestion of external pickle artifacts and record the SHA-256 hashes and scanner versions used at validation time.

How to Mitigate CVE-2025-71360

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later in every environment that scans untrusted pickle files.
  • Rescan cached models, datasets, and artifacts that were previously cleared by an older picklescan version.
  • Restrict pickle deserialization to trusted sources and prefer safer formats such as safetensors for model weights.

Patch Information

The maintainers of picklescan released version 0.0.29, which adds idlelib.calltip.get_entity to the dangerous-imports list. Refer to the GitHub Security Advisory GHSA-9xph-j2h6-g47v for the fix commit and release notes.

Workarounds

  • Block or remove idlelib from production Python environments where interactive IDLE tooling is not required.
  • Wrap pickle.load calls with a custom Unpickler that overrides find_class and rejects any module outside a strict allowlist.
  • Execute deserialization of third-party artifacts inside sandboxed containers with no network egress and minimal filesystem access.
bash
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.29'

# Verify the installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"

# Rescan an artifact directory
picklescan --path ./models

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.