Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71369

CVE-2025-71369: picklescan RCE Vulnerability

CVE-2025-71369 is a remote code execution vulnerability in picklescan before 0.0.28 that allows attackers to bypass safety checks. This post covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-71369 Overview

CVE-2025-71369 is an insecure deserialization vulnerability [CWE-502] in picklescan versions prior to 0.0.28. The scanner fails to detect malicious pickle files that abuse torch.utils.data.datapipes.utils.decoder.basichandlers inside __reduce__ methods. Attackers can craft pickle payloads that bypass picklescan safety checks and execute arbitrary code during deserialization. Because picklescan is commonly used to vet machine learning model files before loading, this bypass undermines a control that many ML pipelines rely on to prevent supply chain compromise. Remote attackers who publish or distribute malicious model artifacts can achieve remote code execution on any host that loads the file.

Critical Impact

Attackers can distribute malicious pickle-based ML models that bypass picklescan detection and execute arbitrary code when deserialized by downstream consumers.

Affected Products

  • picklescan versions before 0.0.28
  • Machine learning pipelines using picklescan to validate PyTorch model files
  • Downstream tooling that treats a passing picklescan result as a safety signal

Discovery Timeline

  • 2026-07-04 - CVE-2025-71369 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2025-71369

Vulnerability Analysis

Python's pickle format allows objects to define a __reduce__ method that returns a callable and its arguments. During deserialization, pickle invokes that callable, which makes any unsafe import path a code execution primitive. picklescan mitigates this by maintaining an allow/deny list of imports and flagging pickle streams that reference known-dangerous modules.

The scanner did not treat torch.utils.data.datapipes.utils.decoder.basichandlers as dangerous. This handler can be leveraged inside a __reduce__ payload to trigger unintended execution paths. Because the reference passes scanner heuristics, the malicious file is reported as safe. When a consumer subsequently calls torch.load or pickle.load on the file, the crafted reducer executes attacker-controlled logic.

Root Cause

The root cause is an incomplete deny list. picklescan inspects pickle opcodes and the fully qualified names of imported callables, but the torch.utils.data.datapipes.utils.decoder.basichandlers path was missing from the set of unsafe references. Detection reduces to string matching against a curated list, so any omitted gadget yields a false negative.

Attack Vector

The attack is network-reachable and requires user interaction: a victim must download and load the malicious pickle file, typically as a PyTorch model from a public model hub, artifact registry, or shared storage. The attacker crafts a pickle with a __reduce__ that references the overlooked handler and embeds the malicious callable. Scanning with vulnerable picklescan returns a clean result. Loading the file with standard PyTorch or pickle APIs then invokes the reducer and runs attacker code with the privileges of the loading process.

See the GitHub Security Advisory GHSA-h3qp-7fh3-f8h4 and the VulnCheck Advisory on PickleScan for technical details.

Detection Methods for CVE-2025-71369

Indicators of Compromise

  • Pickle or PyTorch model files containing references to torch.utils.data.datapipes.utils.decoder.basichandlers inside __reduce__ constructs.
  • Unexpected child processes spawned by Python interpreters immediately after torch.load or pickle.load calls.
  • Outbound network connections from ML training or inference hosts to unfamiliar destinations shortly after model load.
  • Model files originating from untrusted registries that pass picklescan on versions prior to 0.0.28.

Detection Strategies

  • Statically inspect pickle streams with pickletools.dis and flag any GLOBAL or STACK_GLOBAL opcodes that resolve to torch.utils.data.datapipes.utils.decoder.basichandlers or other decoder utilities used inside reducers.
  • Re-scan historical model artifacts with picklescan0.0.28 or later to identify files previously cleared under the vulnerable ruleset.
  • Prefer safer serialization formats such as safetensors and treat any legacy pickle model as untrusted until independently validated.

Monitoring Recommendations

  • Log every invocation of torch.load, pickle.load, and joblib.load in ML pipelines and correlate with the hash of the loaded file.
  • Monitor Python processes for anomalous execve, socket, and file-write behavior in the first seconds after model load.
  • Alert on ML worker hosts making outbound connections to non-allowlisted endpoints or writing to shell profile and cron paths.

How to Mitigate CVE-2025-71369

Immediate Actions Required

  • Upgrade picklescan to 0.0.28 or later across all developer workstations, CI runners, and model registries.
  • Re-scan every pickle-based model artifact that was previously validated with an earlier picklescan version and quarantine any new detections.
  • Restrict model loading to signed artifacts from trusted internal registries and block loads from untrusted sources.
  • Isolate model loading in sandboxed environments with no credentials, no outbound network, and least-privilege file system access.

Patch Information

The issue is fixed in picklescan0.0.28, which adds torch.utils.data.datapipes.utils.decoder.basichandlers to the set of unsafe references detected during scanning. Refer to the GitHub Security Advisory GHSA-h3qp-7fh3-f8h4 for the fix commit and release notes.

Workarounds

  • Migrate model persistence to safetensors, which does not execute code during load.
  • If pickle must be used, wrap loads with a restricted pickle.Unpickler subclass that overrides find_class and denies non-allowlisted modules.
  • Execute untrusted model loads only inside disposable containers or virtual machines with no access to secrets or production data.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.