Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71363

CVE-2025-71363: picklescan RCE Vulnerability

CVE-2025-71363 is a remote code execution flaw in picklescan before 0.0.30 that fails to detect cProfile.run payloads in pickle files. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2025-71363 Overview

CVE-2025-71363 is an insecure deserialization vulnerability [CWE-502] affecting picklescan versions before 0.0.30. The scanner fails to detect cProfile.run function calls embedded in pickle __reduce__ methods. Attackers can craft malicious pickle files that bypass picklescan static analysis and execute arbitrary Python code when the file is deserialized. The flaw undermines the primary security guarantee of picklescan, which is used to vet machine learning model files distributed as pickles.

Critical Impact

Remote attackers can distribute weaponized pickle or ML model files that pass picklescan inspection and achieve arbitrary code execution on any host that loads them.

Affected Products

  • picklescan versions prior to 0.0.30
  • Python environments consuming pickle-based machine learning model artifacts
  • CI/CD and MLOps pipelines that rely on picklescan as a gating control

Discovery Timeline

  • 2026-06-30 - CVE-2025-71363 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2025-71363

Vulnerability Analysis

picklescan is a static scanner that inspects pickle streams for opcodes and global references known to enable code execution during deserialization. The tool maintains a denylist of dangerous callables such as os.system, subprocess.Popen, and eval. This denylist did not include cProfile.run, a standard library function that accepts a string argument and passes it to exec internally.

When a pickle file's __reduce__ method returns (cProfile.run, ("malicious_python_code",)), the pickle module reconstructs the object by invoking cProfile.run on the attacker-supplied string. Because cProfile.run calls exec on that string, arbitrary Python executes in the process loading the pickle. picklescan reports the file as safe because the referenced global is not on its blocklist.

Root Cause

The root cause is an incomplete denylist in picklescan's detection logic. The scanner enumerates known dangerous globals rather than enforcing an allowlist of safe callables. Any standard library function that internally reaches exec, eval, or compile becomes a bypass primitive. cProfile.run is one such function that was missed in versions prior to 0.0.30.

Attack Vector

Exploitation is network-reachable but requires user interaction, since a target must download and deserialize the crafted pickle. Typical delivery paths include malicious model files on public model hubs, compromised package artifacts, and supply chain injection into ML training pipelines. Upon pickle.load or torch.load with the default unpickler, the payload string passed to cProfile.run executes with the privileges of the loading process.

No verified public proof-of-concept code is referenced in the advisory. Technical details are documented in the GitHub Security Advisory GHSA-49gj-c84q-6qm9 and the VulnCheck advisory on picklescan.

Detection Methods for CVE-2025-71363

Indicators of Compromise

  • Pickle or ML model files containing references to the cProfile module or the cProfile.run global
  • picklescan scan reports marking files as clean despite the presence of cProfile opcodes
  • Unexpected child processes spawned by Python interpreters loading model files
  • Outbound network connections initiated immediately after pickle.load or torch.load calls

Detection Strategies

  • Re-scan all previously vetted pickle artifacts with picklescan0.0.30 or later
  • Inspect pickle streams for the GLOBAL or STACK_GLOBAL opcodes referencing cProfile, pdb, bdb, or other modules that internally call exec
  • Instrument Python loaders with pickle.Unpickler.find_class overrides that enforce an allowlist of permitted classes
  • Correlate model file ingestion events with subsequent process creation and network telemetry

Monitoring Recommendations

  • Log every deserialization of untrusted pickle files and the source of the artifact
  • Alert on Python processes that execute shell commands or spawn interpreters shortly after loading a model file
  • Track versions of picklescan deployed across CI/CD runners and developer workstations to confirm remediation coverage

How to Mitigate CVE-2025-71363

Immediate Actions Required

  • Upgrade picklescan to version 0.0.30 or later across all environments, including CI pipelines, model registries, and analyst workstations
  • Re-scan all pickle and ML model artifacts previously cleared by vulnerable picklescan versions
  • Treat any pickle referencing cProfile.run in a __reduce__ context as malicious until proven otherwise

Patch Information

The maintainer released picklescan0.0.30, which adds cProfile.run to the set of detected dangerous globals. Consult the GitHub Security Advisory GHSA-49gj-c84q-6qm9 for the full fix description and commit references.

Workarounds

  • Avoid loading pickle files from untrusted sources; prefer serialization formats such as safetensors for machine learning weights
  • Implement a restricted Unpickler subclass that overrides find_class to allow only an explicit set of known-safe classes
  • Execute pickle deserialization inside sandboxed environments with no network egress and minimal filesystem privileges
  • Combine picklescan with a second independent scanner to reduce reliance on a single denylist
bash
# Configuration example
pip install --upgrade 'picklescan>=0.0.30'
picklescan --path ./models/ --globals-allowlist ./allowlist.txt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.