CVE-2025-71362 Overview
CVE-2025-71362 affects picklescan versions prior to 0.0.33, a Python library used to detect malicious pickle files before deserialization. The scanner fails to identify unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when victims load the files from untrusted sources. The flaw is classified under CWE-502: Deserialization of Untrusted Data and impacts machine learning pipelines that rely on picklescan to vet model artifacts before loading.
Critical Impact
Attackers can achieve arbitrary code execution on systems that load pickle files vetted by vulnerable versions of picklescan, bypassing the scanner's malware detection.
Affected Products
- picklescan versions before 0.0.33
- Machine learning workflows using picklescan to validate pickle files
- Python environments with numpy.f2py.crackfortran accessible during unpickling
Discovery Timeline
- 2026-07-04 - CVE-2025-71362 published to the National Vulnerability Database
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71362
Vulnerability Analysis
The vulnerability resides in the allow-list logic of picklescan, which enumerates functions considered safe or unsafe during pickle inspection. The scanner did not flag calls into numpy.f2py.crackfortran helpers that internally invoke Python's eval on caller-controlled strings. As a result, a crafted pickle file referencing these functions passes static analysis but executes attacker-supplied code at load time. This category of flaw is classified as insecure deserialization [CWE-502].
Pickle files are commonly used to serialize Python objects, including machine learning models. Because unpickling instantiates objects by invoking arbitrary callables recorded in the stream, any reachable function that evaluates strings becomes a code-execution primitive. picklescan is intended to reduce this risk, so a scanner blind spot directly translates into supply-chain risk for downstream consumers.
Root Cause
The root cause is an incomplete deny-list within picklescan prior to version 0.0.33. Functions inside numpy.f2py.crackfortran that pass user-controlled input to eval were not enumerated as dangerous callables. The scanner therefore returned a clean verdict on pickle streams that reduced to eval(<attacker string>) through this path.
Attack Vector
Exploitation requires a victim to download a malicious pickle file, scan it with a vulnerable picklescan version, and then load it with pickle.load or an equivalent API. The attacker publishes the file to a model hub, package repository, dataset mirror, or any distribution channel a target consumes. User interaction is required to trigger deserialization. Once loaded, the embedded reducer invokes the crackfortran helper with attacker-controlled Fortran source, which is evaluated as Python and yields code execution in the victim's process. Full technical details are available in the GitHub Security Advisory GHSA-r8g5-cgf2-4m4m and the VulnCheck advisory.
Detection Methods for CVE-2025-71362
Indicators of Compromise
- Pickle files whose opcode stream references numpy.f2py.crackfortran symbols, particularly functions that accept source strings
- Python processes spawning unexpected child processes such as sh, bash, cmd.exe, or powershell.exe shortly after a pickle.load call
- Outbound network connections initiated by Python interpreters immediately after model or dataset loading
- Unexpected file writes under user home directories or /tmp following ingestion of third-party pickle artifacts
Detection Strategies
- Inventory installations of picklescan and flag any version below 0.0.33 through software composition analysis.
- Statically inspect pickle files for GLOBAL and STACK_GLOBAL opcodes that reference numpy.f2py.crackfortran before loading.
- Correlate Python process telemetry with subsequent shell, network, or filesystem activity to identify post-deserialization execution.
Monitoring Recommendations
- Log every invocation of pickle.load, pickle.loads, joblib.load, and torch.load on production systems that process external artifacts.
- Alert on Python interpreters executing eval-derived code paths originating from numpy.f2py modules.
- Track picklescan scan results and version metadata in centralized logging to detect regressions to vulnerable releases.
How to Mitigate CVE-2025-71362
Immediate Actions Required
- Upgrade picklescan to version 0.0.33 or later across all environments, including CI/CD pipelines and researcher workstations.
- Rescan any pickle files previously cleared by vulnerable picklescan versions before reusing them.
- Treat pickle files from untrusted sources as untrusted executable code regardless of scanner verdict.
Patch Information
The fix is included in picklescan 0.0.33, which extends the scanner's unsafe-function list to cover numpy.f2py.crackfortran helpers that call eval. Refer to the GitHub Security Advisory GHSA-r8g5-cgf2-4m4m for the maintainer's remediation notes and release details.
Workarounds
- Prefer safer serialization formats such as safetensors for machine learning model exchange where feasible.
- Load untrusted pickle files inside isolated sandboxes, containers, or ephemeral virtual machines without network or credential access.
- Restrict availability of numpy.f2py in inference environments that do not require Fortran interoperability.
# Upgrade picklescan to a patched release
pip install --upgrade 'picklescan>=0.0.33'
# Verify the installed version
python -c "import picklescan, sys; print(picklescan.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

