CVE-2025-71369 Overview
CVE-2025-71369 is an insecure deserialization vulnerability [CWE-502] in picklescan versions prior to 0.0.28. The scanner fails to detect malicious pickle files that abuse torch.utils.data.datapipes.utils.decoder.basichandlers inside __reduce__ methods. Attackers can craft pickle payloads that bypass picklescan safety checks and execute arbitrary code during deserialization. Because picklescan is commonly used to vet machine learning model files before loading, this bypass undermines a control that many ML pipelines rely on to prevent supply chain compromise. Remote attackers who publish or distribute malicious model artifacts can achieve remote code execution on any host that loads the file.
Critical Impact
Attackers can distribute malicious pickle-based ML models that bypass picklescan detection and execute arbitrary code when deserialized by downstream consumers.
Affected Products
- picklescan versions before 0.0.28
- Machine learning pipelines using picklescan to validate PyTorch model files
- Downstream tooling that treats a passing picklescan result as a safety signal
Discovery Timeline
- 2026-07-04 - CVE-2025-71369 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71369
Vulnerability Analysis
Python's pickle format allows objects to define a __reduce__ method that returns a callable and its arguments. During deserialization, pickle invokes that callable, which makes any unsafe import path a code execution primitive. picklescan mitigates this by maintaining an allow/deny list of imports and flagging pickle streams that reference known-dangerous modules.
The scanner did not treat torch.utils.data.datapipes.utils.decoder.basichandlers as dangerous. This handler can be leveraged inside a __reduce__ payload to trigger unintended execution paths. Because the reference passes scanner heuristics, the malicious file is reported as safe. When a consumer subsequently calls torch.load or pickle.load on the file, the crafted reducer executes attacker-controlled logic.
Root Cause
The root cause is an incomplete deny list. picklescan inspects pickle opcodes and the fully qualified names of imported callables, but the torch.utils.data.datapipes.utils.decoder.basichandlers path was missing from the set of unsafe references. Detection reduces to string matching against a curated list, so any omitted gadget yields a false negative.
Attack Vector
The attack is network-reachable and requires user interaction: a victim must download and load the malicious pickle file, typically as a PyTorch model from a public model hub, artifact registry, or shared storage. The attacker crafts a pickle with a __reduce__ that references the overlooked handler and embeds the malicious callable. Scanning with vulnerable picklescan returns a clean result. Loading the file with standard PyTorch or pickle APIs then invokes the reducer and runs attacker code with the privileges of the loading process.
See the GitHub Security Advisory GHSA-h3qp-7fh3-f8h4 and the VulnCheck Advisory on PickleScan for technical details.
Detection Methods for CVE-2025-71369
Indicators of Compromise
- Pickle or PyTorch model files containing references to torch.utils.data.datapipes.utils.decoder.basichandlers inside __reduce__ constructs.
- Unexpected child processes spawned by Python interpreters immediately after torch.load or pickle.load calls.
- Outbound network connections from ML training or inference hosts to unfamiliar destinations shortly after model load.
- Model files originating from untrusted registries that pass picklescan on versions prior to 0.0.28.
Detection Strategies
- Statically inspect pickle streams with pickletools.dis and flag any GLOBAL or STACK_GLOBAL opcodes that resolve to torch.utils.data.datapipes.utils.decoder.basichandlers or other decoder utilities used inside reducers.
- Re-scan historical model artifacts with picklescan0.0.28 or later to identify files previously cleared under the vulnerable ruleset.
- Prefer safer serialization formats such as safetensors and treat any legacy pickle model as untrusted until independently validated.
Monitoring Recommendations
- Log every invocation of torch.load, pickle.load, and joblib.load in ML pipelines and correlate with the hash of the loaded file.
- Monitor Python processes for anomalous execve, socket, and file-write behavior in the first seconds after model load.
- Alert on ML worker hosts making outbound connections to non-allowlisted endpoints or writing to shell profile and cron paths.
How to Mitigate CVE-2025-71369
Immediate Actions Required
- Upgrade picklescan to 0.0.28 or later across all developer workstations, CI runners, and model registries.
- Re-scan every pickle-based model artifact that was previously validated with an earlier picklescan version and quarantine any new detections.
- Restrict model loading to signed artifacts from trusted internal registries and block loads from untrusted sources.
- Isolate model loading in sandboxed environments with no credentials, no outbound network, and least-privilege file system access.
Patch Information
The issue is fixed in picklescan0.0.28, which adds torch.utils.data.datapipes.utils.decoder.basichandlers to the set of unsafe references detected during scanning. Refer to the GitHub Security Advisory GHSA-h3qp-7fh3-f8h4 for the fix commit and release notes.
Workarounds
- Migrate model persistence to safetensors, which does not execute code during load.
- If pickle must be used, wrap loads with a restricted pickle.Unpickler subclass that overrides find_class and denies non-allowlisted modules.
- Execute untrusted model loads only inside disposable containers or virtual machines with no access to secrets or production data.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

