CVE-2025-71367 Overview
CVE-2025-71367 is an insecure deserialization vulnerability in picklescan versions before 0.0.34. The scanner fails to detect _operator.attrgetter function calls embedded in pickle payloads. Attackers craft malicious pickle files that invoke _operator.attrgetter inside __reduce__ methods to execute arbitrary code when pickle.load() processes the file. Because picklescan is used to vet machine learning model files before loading, this bypass allows attacker-controlled pickles to reach pickle.load() and achieve remote code execution. The flaw is tracked under CWE-502: Deserialization of Untrusted Data.
Critical Impact
Attackers can bypass picklescan security checks and execute arbitrary code on systems that load scanned pickle or ML model files.
Affected Products
- picklescan versions prior to 0.0.34
- Machine learning pipelines that rely on picklescan to vet untrusted pickle files
- Model hubs and applications ingesting third-party PyTorch or scikit-learn artifacts scanned with vulnerable versions
Discovery Timeline
- 2026-07-04 - CVE-2025-71367 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71367
Vulnerability Analysis
picklescan inspects pickle byte streams for references to dangerous callables before a caller invokes pickle.load(). The scanner maintains an allow/deny list of module and function names but omits _operator.attrgetter from its unsafe-callable set. Because _operator.attrgetter is a callable that returns attribute lookups on arbitrary objects, it can be chained with __reduce__ to reach dangerous functions such as os.system or subprocess.Popen without triggering the scanner.
An attacker constructs a pickle whose __reduce__ method returns _operator.attrgetter bound to a chain that resolves to a code-execution primitive when the pickle is unpickled. picklescan reports the payload as clean, and the downstream loader executes the embedded operation. The result is remote code execution when a victim loads an attacker-supplied model file.
Root Cause
The root cause is an incomplete deny list in the picklescan static analyzer. The scanner's globals inspection does not classify _operator.attrgetter as a dangerous callable, so pickle opcodes referencing it pass validation. This is a classic detection-bypass flaw in a security scanner rather than a bug in CPython's pickle module.
Attack Vector
Exploitation requires an attacker to deliver a crafted pickle file to a victim who scans and then deserializes it. Typical delivery channels include public model repositories, shared datasets, and CI artifacts. User interaction is required to load the file, but no authentication or privileges on the target are needed. The vulnerability manifests during pickle.load(); see the GitHub Security Advisory GHSA-46h3-79wf-xr6c and the VulnCheck advisory for technical detail on the reduce-based payload structure.
Detection Methods for CVE-2025-71367
Indicators of Compromise
- Pickle files containing _operator.attrgetter references in GLOBAL or STACK_GLOBAL opcodes
- Unexpected child processes spawned by Python interpreters immediately after loading .pkl, .pt, or .bin model files
- picklescan reporting a file as clean while the file contains __reduce__ handlers that reference the _operator module
Detection Strategies
- Parse pickle opcodes with pickletools.dis and flag any reference to _operator.attrgetter, operator.attrgetter, or nested attribute chains resolving to os, subprocess, or builtins
- Compare installed picklescan version against 0.0.34 across ML build hosts and inference nodes
- Correlate model-file ingest events with subsequent process creation to identify deserialization-triggered execution
Monitoring Recommendations
- Log all invocations of pickle.load, torch.load, and joblib.load in production data science environments
- Alert on Python processes that execute shells, network utilities, or write to /tmp shortly after model load
- Track dependency manifests to detect pinned versions of picklescan below 0.0.34
How to Mitigate CVE-2025-71367
Immediate Actions Required
- Upgrade picklescan to version 0.0.34 or later on all systems that scan pickle payloads
- Rescan any third-party model files that were previously cleared by a vulnerable picklescan version
- Restrict model file sources to trusted registries and enforce cryptographic signing where available
Patch Information
The maintainer released picklescan0.0.34, which adds _operator.attrgetter to the set of detected unsafe callables. Refer to the GitHub Security Advisory GHSA-46h3-79wf-xr6c for release details and remediation guidance.
Workarounds
- Avoid pickle.load() on untrusted files and prefer safer serialization formats such as safetensors for model weights
- Run model deserialization inside sandboxed or containerized workers with no outbound network and restricted filesystem access
- Add a custom pickle.Unpickler.find_class allow list that rejects _operator and other non-essential modules
# Upgrade picklescan to the patched version
pip install --upgrade 'picklescan>=0.0.34'
# Verify installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

