CVE-2025-71363 Overview
CVE-2025-71363 is an insecure deserialization vulnerability [CWE-502] affecting picklescan versions before 0.0.30. The scanner fails to detect cProfile.run function calls embedded in pickle __reduce__ methods. Attackers can craft malicious pickle files that bypass picklescan static analysis and execute arbitrary Python code when the file is deserialized. The flaw undermines the primary security guarantee of picklescan, which is used to vet machine learning model files distributed as pickles.
Critical Impact
Remote attackers can distribute weaponized pickle or ML model files that pass picklescan inspection and achieve arbitrary code execution on any host that loads them.
Affected Products
- picklescan versions prior to 0.0.30
- Python environments consuming pickle-based machine learning model artifacts
- CI/CD and MLOps pipelines that rely on picklescan as a gating control
Discovery Timeline
- 2026-06-30 - CVE-2025-71363 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2025-71363
Vulnerability Analysis
picklescan is a static scanner that inspects pickle streams for opcodes and global references known to enable code execution during deserialization. The tool maintains a denylist of dangerous callables such as os.system, subprocess.Popen, and eval. This denylist did not include cProfile.run, a standard library function that accepts a string argument and passes it to exec internally.
When a pickle file's __reduce__ method returns (cProfile.run, ("malicious_python_code",)), the pickle module reconstructs the object by invoking cProfile.run on the attacker-supplied string. Because cProfile.run calls exec on that string, arbitrary Python executes in the process loading the pickle. picklescan reports the file as safe because the referenced global is not on its blocklist.
Root Cause
The root cause is an incomplete denylist in picklescan's detection logic. The scanner enumerates known dangerous globals rather than enforcing an allowlist of safe callables. Any standard library function that internally reaches exec, eval, or compile becomes a bypass primitive. cProfile.run is one such function that was missed in versions prior to 0.0.30.
Attack Vector
Exploitation is network-reachable but requires user interaction, since a target must download and deserialize the crafted pickle. Typical delivery paths include malicious model files on public model hubs, compromised package artifacts, and supply chain injection into ML training pipelines. Upon pickle.load or torch.load with the default unpickler, the payload string passed to cProfile.run executes with the privileges of the loading process.
No verified public proof-of-concept code is referenced in the advisory. Technical details are documented in the GitHub Security Advisory GHSA-49gj-c84q-6qm9 and the VulnCheck advisory on picklescan.
Detection Methods for CVE-2025-71363
Indicators of Compromise
- Pickle or ML model files containing references to the cProfile module or the cProfile.run global
- picklescan scan reports marking files as clean despite the presence of cProfile opcodes
- Unexpected child processes spawned by Python interpreters loading model files
- Outbound network connections initiated immediately after pickle.load or torch.load calls
Detection Strategies
- Re-scan all previously vetted pickle artifacts with picklescan0.0.30 or later
- Inspect pickle streams for the GLOBAL or STACK_GLOBAL opcodes referencing cProfile, pdb, bdb, or other modules that internally call exec
- Instrument Python loaders with pickle.Unpickler.find_class overrides that enforce an allowlist of permitted classes
- Correlate model file ingestion events with subsequent process creation and network telemetry
Monitoring Recommendations
- Log every deserialization of untrusted pickle files and the source of the artifact
- Alert on Python processes that execute shell commands or spawn interpreters shortly after loading a model file
- Track versions of picklescan deployed across CI/CD runners and developer workstations to confirm remediation coverage
How to Mitigate CVE-2025-71363
Immediate Actions Required
- Upgrade picklescan to version 0.0.30 or later across all environments, including CI pipelines, model registries, and analyst workstations
- Re-scan all pickle and ML model artifacts previously cleared by vulnerable picklescan versions
- Treat any pickle referencing cProfile.run in a __reduce__ context as malicious until proven otherwise
Patch Information
The maintainer released picklescan0.0.30, which adds cProfile.run to the set of detected dangerous globals. Consult the GitHub Security Advisory GHSA-49gj-c84q-6qm9 for the full fix description and commit references.
Workarounds
- Avoid loading pickle files from untrusted sources; prefer serialization formats such as safetensors for machine learning weights
- Implement a restricted Unpickler subclass that overrides find_class to allow only an explicit set of known-safe classes
- Execute pickle deserialization inside sandboxed environments with no network egress and minimal filesystem privileges
- Combine picklescan with a second independent scanner to reduce reliance on a single denylist
# Configuration example
pip install --upgrade 'picklescan>=0.0.30'
picklescan --path ./models/ --globals-allowlist ./allowlist.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

