CVE-2025-71366 Overview
CVE-2025-71366 affects picklescan versions before 0.0.28, a tool designed to detect malicious code embedded in Python pickle files. The scanner fails to identify calls to the torch.utils.bottleneck.__main__.run_cprofile function, allowing attackers to bypass its safety checks. Remote attackers can craft pickle files containing this undetected function reference to achieve arbitrary code execution when a victim loads the file. The vulnerability is classified under CWE-502: Deserialization of Untrusted Data and primarily impacts machine learning workflows that rely on picklescan to vet PyTorch model files before loading.
Critical Impact
Attackers can achieve arbitrary code execution on systems that load pickle files vetted by vulnerable picklescan versions, compromising ML pipelines and inference hosts.
Affected Products
- picklescan versions prior to 0.0.28
- Machine learning pipelines using picklescan to validate PyTorch model files
- Downstream tools and services embedding picklescan as a safety layer for pickle deserialization
Discovery Timeline
- 2026-07-04 - CVE-2025-71366 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71366
Vulnerability Analysis
The picklescan library statically inspects pickle files for references to functions known to enable code execution during deserialization. The scanner maintains a denylist of dangerous callables such as os.system, subprocess.Popen, and various builtins primitives. The denylist omits torch.utils.bottleneck.__main__.run_cprofile, which internally invokes profiling logic that can execute attacker-controlled Python code paths.
When a victim loads a malicious pickle file with torch.load or pickle.load, the Python unpickler resolves the reference and invokes run_cprofile with attacker-supplied arguments. This grants the attacker arbitrary code execution in the process context, bypassing the false assurance provided by a clean picklescan result.
Root Cause
The root cause is an incomplete denylist in the picklescan static analyzer. Pickle deserialization treats any importable callable as executable, so any scanner relying on enumeration of dangerous functions must exhaustively enumerate all reachable code-execution primitives. Deep transitive imports in the PyTorch ecosystem, including torch.utils.bottleneck.__main__, expose additional gadgets that the scanner did not track.
Attack Vector
An attacker publishes a malicious PyTorch model or pickle artifact to a model hub, package registry, or shared storage location. The victim runs picklescan against the file, receives a clean result, and proceeds to load it with torch.load. During unpickling, the embedded torch.utils.bottleneck.__main__.run_cprofile reference triggers execution of attacker-controlled logic. Exploitation requires user interaction to load the file but no privileges on the target system.
The vulnerability manifests during pickle opcode processing when the REDUCE or STACK_GLOBAL opcodes resolve the crafted callable. See the GitHub Security Advisory GHSA-4r9r-ch6f-vxmx and the VulnCheck advisory for technical details.
Detection Methods for CVE-2025-71366
Indicators of Compromise
- Pickle files containing references to torch.utils.bottleneck.__main__.run_cprofile or related bottleneck module callables
- Unexpected child processes spawned by Python interpreters after loading model files, including shells, curl, wget, or profiling utilities
- Outbound network connections from data science workstations or inference servers immediately following torch.load invocations
- Newly created files or scheduled tasks associated with the Python process that loaded a scanned model
Detection Strategies
- Statically scan pickle files with an updated picklescan version 0.0.28 or later, or with an alternative scanner such as fickling that enumerates a broader gadget set
- Inspect model files using pickletools.dis and grep for torch.utils.bottleneck module references before loading
- Instrument model-loading services to log every module and callable resolved by the unpickler through a custom Unpickler.find_class hook
- Monitor process ancestry for Python processes spawning shells or profiling tools shortly after model loads
Monitoring Recommendations
- Track invocations of torch.load, pickle.load, and joblib.load in application logs and correlate with subsequent process and network activity
- Alert on any resolution of torch.utils.bottleneck.__main__ symbols outside of interactive debugging sessions
- Retain pickle files loaded by production services for forensic replay against updated scanners
How to Mitigate CVE-2025-71366
Immediate Actions Required
- Upgrade picklescan to version 0.0.28 or later across all environments that scan model or pickle files
- Re-scan previously vetted pickle artifacts with the patched scanner and quarantine any files that fail
- Restrict pickle loading to files sourced from trusted publishers and verified through cryptographic signatures
- Isolate model-loading workloads in sandboxed containers with least-privilege service accounts and no outbound internet access unless required
Patch Information
The maintainers addressed CVE-2025-71366 in picklescan version 0.0.28 by extending the denylist to cover torch.utils.bottleneck.__main__.run_cprofile and related gadgets. Refer to the GitHub Security Advisory GHSA-4r9r-ch6f-vxmx for the patched release and commit references.
Workarounds
- Migrate model serialization to safer formats such as safetensors, which do not execute code during load
- Load untrusted pickle files only inside disposable sandboxes with no access to secrets, credentials, or production networks
- Implement a custom Unpickler.find_class that enforces an allowlist of expected tensor and module classes and rejects everything else
- Require signed manifests for model artifacts and validate signatures before invoking any scanner or loader
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

