CVE-2025-71361 Overview
CVE-2025-71361 affects picklescan versions before 0.0.29, a Python library designed to scan pickle files for malicious content. The scanner fails to detect idlelib.calltip.Calltip.fetch_tip calls embedded in pickle files. Attackers can craft pickle files containing this undetected gadget chain that achieves remote code execution when the file is loaded via pickle.load(). The flaw maps to CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as Eval Injection. Machine learning workflows that rely on picklescan to validate untrusted model files are directly exposed.
Critical Impact
Attackers can bypass picklescan static analysis and execute arbitrary code on systems that load attacker-supplied pickle files, including AI/ML model artifacts distributed through public hubs.
Affected Products
- picklescan versions prior to 0.0.29
- Python applications and ML pipelines using picklescan for pickle validation
- AI/ML model loading workflows relying on picklescan scan results before invoking pickle.load()
Discovery Timeline
- 2026-06-24 - CVE-2025-71361 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2025-71361
Vulnerability Analysis
The vulnerability resides in the allow/deny list logic used by picklescan to classify dangerous pickle opcodes and import targets. The scanner enumerates known dangerous callables such as os.system, subprocess.Popen, and builtins.eval, then flags pickle files that reference them. The idlelib.calltip.Calltip.fetch_tip method is absent from this list. When deserialized, fetch_tip ultimately evaluates an attacker-controlled expression, providing a code execution primitive equivalent to eval().
Because idlelib ships with the Python standard library, the gadget is universally available on systems that run pickle workloads. Defenders who treat a clean picklescan report as a trust signal will load the malicious file with pickle.load() and execute the embedded payload.
Root Cause
The root cause is incomplete enumeration of dangerous Python callables within the scanner's detection ruleset. picklescan operates as a deny-list scanner rather than performing semantic analysis of every reachable function in a pickle's REDUCE and GLOBAL opcodes. Any standard-library function that internally invokes eval, exec, or compile constitutes a valid bypass gadget. idlelib.calltip.Calltip.fetch_tip is one such function and was not enumerated in versions before 0.0.29.
Attack Vector
Exploitation requires an attacker to deliver a crafted pickle file to a victim system that subsequently loads it. Common delivery channels include malicious ML model artifacts on public model hubs, supply chain compromises of pickled datasets, and pickle attachments processed by automated pipelines. The pickle file is constructed with a GLOBAL opcode referencing idlelib.calltip Calltip and a REDUCE opcode that invokes fetch_tip against an attacker-controlled expression. User interaction is limited to loading or scanning the file. See the GitHub Security Advisory GHSA-8r4j-24qv-fmq9 and the VulnCheck advisory for technical reproduction details.
Detection Methods for CVE-2025-71361
Indicators of Compromise
- Pickle files containing GLOBAL opcodes that reference idlelib.calltip or idlelib.calltips modules
- Python processes that spawn shells, network connections, or write executables immediately after pickle.load() or torch.load() calls
- Unexpected child processes parented to ML training, inference, or notebook kernels
- Outbound network traffic from hosts loading third-party model files shortly after artifact download
Detection Strategies
- Statically inspect pickle files with pickletools.dis() and alert on any GLOBAL reference outside an explicit allow-list of safe modules
- Hunt EDR telemetry for python or python3 processes spawning sh, bash, cmd.exe, or powershell.exe within seconds of opening a .pkl, .pt, or .bin file
- Correlate file-write events for newly downloaded pickle artifacts with subsequent process and network anomalies
Monitoring Recommendations
- Inventory all uses of picklescan across CI/CD, model registries, and inference services and confirm the installed version is 0.0.29 or later
- Log every invocation of pickle.load, pickle.loads, torch.load, and joblib.load along with the source URI of the loaded artifact
- Forward pickle file hashes and scan verdicts to a central data lake to enable retroactive hunting when new bypass gadgets are disclosed
How to Mitigate CVE-2025-71361
Immediate Actions Required
- Upgrade picklescan to version 0.0.29 or later across all environments using pip install --upgrade picklescan
- Rescan any pickle artifacts that were previously cleared by older picklescan versions before reusing them
- Treat all pickle files from external sources as untrusted regardless of scanner verdict and isolate loading in sandboxed environments
Patch Information
The maintainer addressed the bypass in picklescan0.0.29 by adding idlelib.calltip.Calltip.fetch_tip to the dangerous globals list. Refer to the GitHub Security Advisory GHSA-8r4j-24qv-fmq9 for the fix commit and remediation guidance.
Workarounds
- Replace pickle-based model serialization with safer formats such as safetensors, ONNX, or JSON where feasible
- Load untrusted pickle files only inside ephemeral, network-isolated containers with no production credentials mounted
- Implement a strict allow-list of permitted modules using a custom pickle.Unpickler.find_class override that raises on any unexpected import
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.29'
# Verify the installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
# Re-scan a directory of pickle artifacts
picklescan --path ./models --globals-whitelist ''
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

