Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71368

CVE-2025-71368: picklescan RCE Vulnerability

CVE-2025-71368 is a remote code execution flaw in picklescan before version 0.0.30 that fails to detect doctest.debug_script function calls. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71368 Overview

CVE-2025-71368 is an arbitrary code execution vulnerability in picklescan versions before 0.0.30. The scanner fails to detect calls to the doctest.debug_script function when analyzing Python pickle files. Attackers can craft malicious pickle files that embed doctest.debug_script calls, bypass picklescan's static analysis, and execute arbitrary commands when the pickle is loaded via pickle.load. The flaw is tracked under CWE-502: Deserialization of Untrusted Data and affects machine learning pipelines that rely on picklescan to vet untrusted model files.

Critical Impact

Attackers can achieve remote arbitrary code execution against systems that trust picklescan results before invoking pickle.load on downloaded model files.

Affected Products

  • picklescan versions prior to 0.0.30
  • Python applications and ML pipelines using picklescan to validate pickle files
  • Model-sharing workflows that rely on picklescan scans before deserialization

Discovery Timeline

  • 2026-06-30 - CVE-2025-71368 published to the National Vulnerability Database (NVD)
  • 2026-07-01 - Last updated in the NVD database

Technical Details for CVE-2025-71368

Vulnerability Analysis

picklescan inspects pickle files to identify references to functions known to enable code execution during deserialization. The tool maintains a denylist of dangerous callables that pickle opcodes may resolve at load time. Versions before 0.0.30 omit the doctest.debug_script function from this denylist.

When pickle.load deserializes an object graph, the pickle virtual machine can invoke arbitrary importable callables through the REDUCE opcode. doctest.debug_script accepts source text and executes it via pdb in a subprocess context, providing a path to run attacker-controlled Python code. Because picklescan reports the file as clean, downstream consumers proceed to deserialize the payload and trigger execution.

Root Cause

The root cause is an incomplete denylist of dangerous Python callables inside picklescan. Static analysis of pickle opcodes matches only known-bad module and attribute pairs. Any callable not present in the list, including doctest.debug_script, passes the scan even though it can trigger code execution during unpickling.

Attack Vector

A remote attacker publishes a malicious pickle file, for example a machine learning model checkpoint, on a public repository or delivers it through a supply chain path. The victim downloads the file and runs picklescan as a safety gate. The scan returns no findings because doctest.debug_script is not recognized. The victim then calls pickle.load on the file, which invokes doctest.debug_script with attacker-controlled source and executes arbitrary commands with the privileges of the loading process.

Exploitation requires user interaction, specifically loading the untrusted pickle after a false-negative scan. See the GitHub Security Advisory GHSA-fqq6-7vqf-w3fg and the VulnCheck Code Execution Advisory for technical details.

Detection Methods for CVE-2025-71368

Indicators of Compromise

  • Pickle files that import or reference the doctest module, particularly doctest.debug_script
  • Python processes spawning unexpected child processes such as pdb, shells, or interpreters shortly after a pickle.load call
  • Outbound network connections initiated by ML inference or training jobs immediately following model file loads
  • Unexpected file writes or persistence artifacts created by worker processes that consume third-party pickle files

Detection Strategies

  • Inspect pickle files with an updated scanner or a custom pickletools.dis walker that flags GLOBAL opcodes referencing doctest.debug_script and other executable callables.
  • Correlate pickle.load invocations in application logs with subsequent process creation events to identify anomalous execution chains.
  • Baseline expected module imports for model-loading services and alert on new imports of doctest, pdb, os, or subprocess at runtime.

Monitoring Recommendations

  • Enable Python audit hooks (sys.addaudithook) to log pickle.find_class events and forward them to a central log store.
  • Monitor endpoints that host ML workloads for child processes spawned by Python interpreters loading untrusted artifacts.
  • Track versions of picklescan in software bills of materials and alert when versions below 0.0.30 are present in production.

How to Mitigate CVE-2025-71368

Immediate Actions Required

  • Upgrade picklescan to version 0.0.30 or later across all developer workstations, CI pipelines, and production services.
  • Re-scan any pickle files that were previously cleared by an older picklescan version before further use.
  • Treat picklescan output as one signal among several and avoid deserializing pickle files from untrusted sources, even after a clean scan.

Patch Information

The maintainer released picklescan0.0.30, which adds detection for doctest.debug_script and related callables. Refer to the GitHub Security Advisory GHSA-fqq6-7vqf-w3fg for the fixed version and release notes.

Workarounds

  • Load third-party model files inside sandboxed environments such as containers with no network egress and read-only file systems.
  • Prefer safer serialization formats such as safetensors for machine learning model exchange.
  • Add a pre-load allowlist that restricts pickle.find_class to a known set of modules and rejects doctest, pdb, os, and subprocess.
bash
# Configuration example
pip install --upgrade 'picklescan>=0.0.30'
picklescan --path /path/to/model.pkl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.