Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71364

CVE-2025-71364: picklescan RCE Vulnerability

CVE-2025-71364 is a remote code execution vulnerability in picklescan before version 0.0.30 that fails to detect malicious pickle files. Attackers can execute arbitrary commands by exploiting this detection bypass. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-71364 Overview

CVE-2025-71364 affects picklescan versions before 0.0.30, a security scanner designed to detect malicious code in Python pickle files. The scanner fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function when embedded in pickle reduce methods. Attackers can craft malicious pickle files that invoke this built-in function to execute arbitrary commands during deserialization while evading picklescan detection. The vulnerability is categorized under [CWE-502] Deserialization of Untrusted Data. This flaw directly impacts machine learning workflows that rely on picklescan to validate model files before loading.

Critical Impact

Attackers can achieve remote code execution on systems that load pickle files previously scanned and cleared by picklescan versions prior to 0.0.30.

Affected Products

  • picklescan versions before 0.0.30
  • Python environments consuming pickle files validated by vulnerable picklescan releases
  • Machine learning pipelines relying on picklescan for model file safety validation

Discovery Timeline

  • 2026-07-04 - CVE-2025-71364 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2025-71364

Vulnerability Analysis

The vulnerability resides in picklescan's denylist of dangerous functions used during pickle file inspection. Python's pickle format allows objects to define a __reduce__ method that returns a callable and its arguments, both invoked automatically during unpickling. Attackers exploit this by embedding references to built-in functions capable of executing shell commands or spawning subprocesses.

picklescan maintains a list of known-dangerous callables such as os.system, subprocess.Popen, and similar primitives. The scanner missed asyncio.unix_events._UnixSubprocessTransport._start, an internal asyncio function that spawns subprocesses on Unix systems. A crafted pickle referencing this function passes the scan yet still executes attacker-controlled commands when loaded with pickle.load or torch.load.

Root Cause

The root cause is an incomplete denylist of dangerous callables within picklescan. Static allow/deny approaches to pickle safety cannot enumerate every subprocess-spawning function across the Python standard library. Internal asyncio transport helpers were absent from the denylist, allowing them to serve as an execution primitive during deserialization.

Attack Vector

An attacker publishes or distributes a malicious pickle file, typically disguised as a machine learning model, dataset, or serialized object. The victim runs picklescan against the file, which reports no threats. When the victim subsequently deserializes the file, the embedded reduce method invokes asyncio.unix_events._UnixSubprocessTransport._start and executes arbitrary commands under the victim's user context. Delivery vectors include model hubs, package repositories, and shared collaboration platforms.

See the VulnCheck Advisory on Picklescan for exploitation details.

Detection Methods for CVE-2025-71364

Indicators of Compromise

  • Pickle files containing references to asyncio.unix_events._UnixSubprocessTransport._start in their opcodes
  • Unexpected child processes spawned by Python interpreters loading model or data files
  • Outbound network connections initiated shortly after pickle.load or torch.load calls

Detection Strategies

  • Inspect pickle file bytecode with pickletools.dis and flag any GLOBAL opcodes referencing asyncio.unix_events modules
  • Upgrade to picklescan0.0.30 or later, which adds the missing function to its denylist
  • Enforce loading of pickle files only from trusted origins with cryptographic signatures

Monitoring Recommendations

  • Alert on Python processes spawning shell interpreters (sh, bash) or unexpected binaries as child processes
  • Log all invocations of pickle.load, pickle.loads, and torch.load in ML pipelines with source file provenance
  • Monitor developer workstations and CI/CD runners for anomalous subprocess execution following model file access

How to Mitigate CVE-2025-71364

Immediate Actions Required

  • Upgrade picklescan to version 0.0.30 or later across all developer environments, CI/CD pipelines, and model registries
  • Rescan all previously validated pickle files with the patched scanner version
  • Treat any pickle file from untrusted sources as executable code and isolate loading operations in sandboxes

Patch Information

The maintainer released picklescan0.0.30 with an expanded denylist covering asyncio.unix_events._UnixSubprocessTransport._start and related subprocess primitives. Refer to the GitHub Security Advisory for the full patch details and remediation guidance.

Workarounds

  • Migrate from pickle-based serialization to safer formats such as safetensors for machine learning model distribution
  • Execute pickle deserialization inside restricted containers or seccomp-filtered processes that block execve syscalls
  • Require cryptographic signature verification on pickle artifacts before any load operation
bash
# Configuration example
pip install --upgrade "picklescan>=0.0.30"
picklescan --path /path/to/models

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.