CVE-2025-71368 Overview
CVE-2025-71368 is an arbitrary code execution vulnerability in picklescan versions before 0.0.30. The scanner fails to detect calls to the doctest.debug_script function when analyzing Python pickle files. Attackers can craft malicious pickle files that embed doctest.debug_script calls, bypass picklescan's static analysis, and execute arbitrary commands when the pickle is loaded via pickle.load. The flaw is tracked under CWE-502: Deserialization of Untrusted Data and affects machine learning pipelines that rely on picklescan to vet untrusted model files.
Critical Impact
Attackers can achieve remote arbitrary code execution against systems that trust picklescan results before invoking pickle.load on downloaded model files.
Affected Products
- picklescan versions prior to 0.0.30
- Python applications and ML pipelines using picklescan to validate pickle files
- Model-sharing workflows that rely on picklescan scans before deserialization
Discovery Timeline
- 2026-06-30 - CVE-2025-71368 published to the National Vulnerability Database (NVD)
- 2026-07-01 - Last updated in the NVD database
Technical Details for CVE-2025-71368
Vulnerability Analysis
picklescan inspects pickle files to identify references to functions known to enable code execution during deserialization. The tool maintains a denylist of dangerous callables that pickle opcodes may resolve at load time. Versions before 0.0.30 omit the doctest.debug_script function from this denylist.
When pickle.load deserializes an object graph, the pickle virtual machine can invoke arbitrary importable callables through the REDUCE opcode. doctest.debug_script accepts source text and executes it via pdb in a subprocess context, providing a path to run attacker-controlled Python code. Because picklescan reports the file as clean, downstream consumers proceed to deserialize the payload and trigger execution.
Root Cause
The root cause is an incomplete denylist of dangerous Python callables inside picklescan. Static analysis of pickle opcodes matches only known-bad module and attribute pairs. Any callable not present in the list, including doctest.debug_script, passes the scan even though it can trigger code execution during unpickling.
Attack Vector
A remote attacker publishes a malicious pickle file, for example a machine learning model checkpoint, on a public repository or delivers it through a supply chain path. The victim downloads the file and runs picklescan as a safety gate. The scan returns no findings because doctest.debug_script is not recognized. The victim then calls pickle.load on the file, which invokes doctest.debug_script with attacker-controlled source and executes arbitrary commands with the privileges of the loading process.
Exploitation requires user interaction, specifically loading the untrusted pickle after a false-negative scan. See the GitHub Security Advisory GHSA-fqq6-7vqf-w3fg and the VulnCheck Code Execution Advisory for technical details.
Detection Methods for CVE-2025-71368
Indicators of Compromise
- Pickle files that import or reference the doctest module, particularly doctest.debug_script
- Python processes spawning unexpected child processes such as pdb, shells, or interpreters shortly after a pickle.load call
- Outbound network connections initiated by ML inference or training jobs immediately following model file loads
- Unexpected file writes or persistence artifacts created by worker processes that consume third-party pickle files
Detection Strategies
- Inspect pickle files with an updated scanner or a custom pickletools.dis walker that flags GLOBAL opcodes referencing doctest.debug_script and other executable callables.
- Correlate pickle.load invocations in application logs with subsequent process creation events to identify anomalous execution chains.
- Baseline expected module imports for model-loading services and alert on new imports of doctest, pdb, os, or subprocess at runtime.
Monitoring Recommendations
- Enable Python audit hooks (sys.addaudithook) to log pickle.find_class events and forward them to a central log store.
- Monitor endpoints that host ML workloads for child processes spawned by Python interpreters loading untrusted artifacts.
- Track versions of picklescan in software bills of materials and alert when versions below 0.0.30 are present in production.
How to Mitigate CVE-2025-71368
Immediate Actions Required
- Upgrade picklescan to version 0.0.30 or later across all developer workstations, CI pipelines, and production services.
- Re-scan any pickle files that were previously cleared by an older picklescan version before further use.
- Treat picklescan output as one signal among several and avoid deserializing pickle files from untrusted sources, even after a clean scan.
Patch Information
The maintainer released picklescan0.0.30, which adds detection for doctest.debug_script and related callables. Refer to the GitHub Security Advisory GHSA-fqq6-7vqf-w3fg for the fixed version and release notes.
Workarounds
- Load third-party model files inside sandboxed environments such as containers with no network egress and read-only file systems.
- Prefer safer serialization formats such as safetensors for machine learning model exchange.
- Add a pre-load allowlist that restricts pickle.find_class to a known set of modules and rejects doctest, pdb, os, and subprocess.
# Configuration example
pip install --upgrade 'picklescan>=0.0.30'
picklescan --path /path/to/model.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

