CVE-2025-71365 Overview
CVE-2025-71365 affects picklescan versions prior to 0.0.33, a security scanner designed to detect malicious Python pickle files. The scanner fails to flag pickle files that invoke the numpy.f2py.crackfortran.myeval function through the __reduce__ method. Attackers can craft pickle files embedding arbitrary code that evades detection and executes when the file is loaded. The vulnerability is classified as Deserialization of Untrusted Data [CWE-502]. Machine learning model distribution platforms and downstream applications that rely on picklescan to validate untrusted pickle artifacts are exposed to arbitrary code execution.
Critical Impact
Attackers can bypass picklescan detection and achieve remote code execution when a victim loads a malicious pickle file containing the numpy.f2py.crackfortran.myeval gadget.
Affected Products
- picklescan versions before 0.0.33
- Python environments loading untrusted pickle files scanned by picklescan
- ML pipelines relying on picklescan to vet model artifacts
Discovery Timeline
- 2026-06-23 - CVE-2025-71365 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-71365
Vulnerability Analysis
The vulnerability resides in picklescan's allow/deny logic for callable references encountered during static pickle inspection. The scanner maintains a list of known dangerous functions and flags pickle opcodes that resolve to them. The numpy.f2py.crackfortran.myeval callable is not on this list. When attackers package this callable inside a __reduce__ method, the resulting pickle stream passes picklescan validation while still triggering arbitrary code execution at load time.
numpy.f2py.crackfortran.myeval is effectively a wrapper around Python's eval. Any string argument supplied through __reduce__ is evaluated in the target process. The bypass works because static scanners cannot distinguish utility functions that wrap dynamic evaluation from benign helpers. Successful exploitation requires the victim to load the crafted pickle file, satisfying the user interaction requirement reflected in the CVSS vector.
Root Cause
The root cause is an incomplete denylist of dangerous callables in picklescan. The scanner enumerates global references resolved by pickle's GLOBAL and STACK_GLOBAL opcodes, then matches them against a curated unsafe list. numpy.f2py.crackfortran.myeval was omitted from that list despite providing equivalent capability to eval, exec, and os.system.
Attack Vector
An attacker constructs a Python class whose __reduce__ method returns a tuple referencing numpy.f2py.crackfortran.myeval together with an attacker-controlled expression string. The class is pickled and distributed through a model hub, package repository, or other channel that downstream consumers scan with picklescan. The scan reports the file as clean. When a victim deserializes the file using pickle.load or torch.load, the unpickler resolves the global reference and invokes myeval on the embedded string, evaluating attacker code in the victim process. See the VulnCheck Advisory on PickleScan for a full proof-of-concept walkthrough.
Detection Methods for CVE-2025-71365
Indicators of Compromise
- Pickle files containing GLOBAL opcodes referencing numpy.f2py.crackfortran or the symbol myeval.
- Python processes spawning unexpected child processes such as shells, interpreters, or network utilities shortly after a pickle.load or torch.load call.
- Outbound network connections originating from ML training or inference workloads to unknown hosts immediately after model deserialization.
Detection Strategies
- Statically inspect pickle files with pickletools.dis and alert on any reference to numpy.f2py.crackfortran.myeval, eval, exec, os.system, subprocess, or pty.
- Upgrade picklescan to 0.0.33 or later so the myeval gadget is included in the deny list.
- Run pickle deserialization in sandboxed processes and treat any unexpected execve, network, or filesystem syscall during load as a detection signal.
Monitoring Recommendations
- Monitor process trees rooted in Python interpreters for unusual children launched during model loading workflows.
- Log and review all pickle artifacts ingested from external sources, including hash, origin, and the user that loaded them.
- Capture EDR telemetry for filesystem writes and outbound connections initiated by ML services during the first seconds after torch.load or pickle.load.
How to Mitigate CVE-2025-71365
Immediate Actions Required
- Upgrade picklescan to version 0.0.33 or later across all CI, model validation, and developer environments.
- Re-scan previously approved pickle and PyTorch model files with the patched version of picklescan.
- Block or quarantine any pickle file containing a reference to numpy.f2py.crackfortran.myeval until manual review is complete.
Patch Information
The fix is shipped in picklescan0.0.33, which adds numpy.f2py.crackfortran.myeval to the unsafe globals list. Refer to the GitHub Security Advisory for the upstream advisory and patch references.
Workarounds
- Prefer safetensors or other non-executable serialization formats over pickle for model distribution.
- Load pickle files only inside restricted environments such as containers without network access and read-only filesystems.
- Implement an allowlist-based unpickler using pickle.Unpickler.find_class to reject any global outside an approved set, including any reference under numpy.f2py.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

