CVE-2025-71364 Overview
CVE-2025-71364 affects picklescan versions before 0.0.30, a security scanner designed to detect malicious code in Python pickle files. The scanner fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function when embedded in pickle reduce methods. Attackers can craft malicious pickle files that invoke this built-in function to execute arbitrary commands during deserialization while evading picklescan detection. The vulnerability is categorized under [CWE-502] Deserialization of Untrusted Data. This flaw directly impacts machine learning workflows that rely on picklescan to validate model files before loading.
Critical Impact
Attackers can achieve remote code execution on systems that load pickle files previously scanned and cleared by picklescan versions prior to 0.0.30.
Affected Products
- picklescan versions before 0.0.30
- Python environments consuming pickle files validated by vulnerable picklescan releases
- Machine learning pipelines relying on picklescan for model file safety validation
Discovery Timeline
- 2026-07-04 - CVE-2025-71364 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2025-71364
Vulnerability Analysis
The vulnerability resides in picklescan's denylist of dangerous functions used during pickle file inspection. Python's pickle format allows objects to define a __reduce__ method that returns a callable and its arguments, both invoked automatically during unpickling. Attackers exploit this by embedding references to built-in functions capable of executing shell commands or spawning subprocesses.
picklescan maintains a list of known-dangerous callables such as os.system, subprocess.Popen, and similar primitives. The scanner missed asyncio.unix_events._UnixSubprocessTransport._start, an internal asyncio function that spawns subprocesses on Unix systems. A crafted pickle referencing this function passes the scan yet still executes attacker-controlled commands when loaded with pickle.load or torch.load.
Root Cause
The root cause is an incomplete denylist of dangerous callables within picklescan. Static allow/deny approaches to pickle safety cannot enumerate every subprocess-spawning function across the Python standard library. Internal asyncio transport helpers were absent from the denylist, allowing them to serve as an execution primitive during deserialization.
Attack Vector
An attacker publishes or distributes a malicious pickle file, typically disguised as a machine learning model, dataset, or serialized object. The victim runs picklescan against the file, which reports no threats. When the victim subsequently deserializes the file, the embedded reduce method invokes asyncio.unix_events._UnixSubprocessTransport._start and executes arbitrary commands under the victim's user context. Delivery vectors include model hubs, package repositories, and shared collaboration platforms.
See the VulnCheck Advisory on Picklescan for exploitation details.
Detection Methods for CVE-2025-71364
Indicators of Compromise
- Pickle files containing references to asyncio.unix_events._UnixSubprocessTransport._start in their opcodes
- Unexpected child processes spawned by Python interpreters loading model or data files
- Outbound network connections initiated shortly after pickle.load or torch.load calls
Detection Strategies
- Inspect pickle file bytecode with pickletools.dis and flag any GLOBAL opcodes referencing asyncio.unix_events modules
- Upgrade to picklescan0.0.30 or later, which adds the missing function to its denylist
- Enforce loading of pickle files only from trusted origins with cryptographic signatures
Monitoring Recommendations
- Alert on Python processes spawning shell interpreters (sh, bash) or unexpected binaries as child processes
- Log all invocations of pickle.load, pickle.loads, and torch.load in ML pipelines with source file provenance
- Monitor developer workstations and CI/CD runners for anomalous subprocess execution following model file access
How to Mitigate CVE-2025-71364
Immediate Actions Required
- Upgrade picklescan to version 0.0.30 or later across all developer environments, CI/CD pipelines, and model registries
- Rescan all previously validated pickle files with the patched scanner version
- Treat any pickle file from untrusted sources as executable code and isolate loading operations in sandboxes
Patch Information
The maintainer released picklescan0.0.30 with an expanded denylist covering asyncio.unix_events._UnixSubprocessTransport._start and related subprocess primitives. Refer to the GitHub Security Advisory for the full patch details and remediation guidance.
Workarounds
- Migrate from pickle-based serialization to safer formats such as safetensors for machine learning model distribution
- Execute pickle deserialization inside restricted containers or seccomp-filtered processes that block execve syscalls
- Require cryptographic signature verification on pickle artifacts before any load operation
# Configuration example
pip install --upgrade "picklescan>=0.0.30"
picklescan --path /path/to/models
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

