CVE-2025-71370 Overview
CVE-2025-71370 is a detection bypass vulnerability in picklescan versions before 0.0.28. The scanner fails to flag malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft pickle payloads that pass picklescan validation and execute arbitrary code when the file is deserialized via pickle.load(). The flaw is tracked under CWE-502: Deserialization of Untrusted Data. Machine learning pipelines that rely on picklescan to vet third-party model files are the primary risk surface.
Critical Impact
Attackers achieve arbitrary code execution on systems that load attacker-supplied pickle files validated by picklescan before version 0.0.28.
Affected Products
- picklescan versions prior to 0.0.28
- Machine learning workflows using picklescan to validate PyTorch model files
- Downstream platforms that integrate picklescan as a trust boundary for pickle deserialization
Discovery Timeline
- 2026-06-23 - CVE-2025-71370 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-71370
Vulnerability Analysis
The picklescan library statically inspects pickle files for dangerous opcodes and imports before they reach pickle.load(). It maintains a denylist of known-unsafe callables that can trigger code execution during unpickling. Version 0.0.28 and earlier omit torch.jit.unsupported_tensor_ops.execWrapper from this denylist.
Attackers exploit this gap by referencing execWrapper inside a pickle stream. The scanner reports the file as clean, then deserialization invokes the wrapper and executes the attacker's payload. Exploitation requires the victim to load an untrusted pickle file, which is common in model-sharing ecosystems where users download checkpoints from public hubs.
The impact mirrors classic insecure deserialization. Arbitrary Python code runs with the privileges of the process loading the file, enabling credential theft, lateral movement, and persistence on inference servers or developer workstations.
Root Cause
The root cause is an incomplete denylist within picklescan. The project enumerates known-dangerous callables but did not include torch.jit.unsupported_tensor_ops.execWrapper, leaving a known code-execution sink unmonitored. Denylist-based protection against pickle abuse fails whenever a new executable callable is added to the ecosystem and the scanner is not updated.
Attack Vector
Exploitation proceeds in three steps. First, an attacker constructs a pickle file whose reduce protocol references torch.jit.unsupported_tensor_ops.execWrapper with attacker-controlled arguments. Second, the attacker distributes the file through a model hub, supply-chain channel, or direct delivery. Third, a victim runs picklescan against the file, receives a clean verdict, and loads it with pickle.load() or torch.load(), triggering execution of the embedded payload. See the VulnCheck Advisory on PickleScan for additional technical context.
No verified exploit code is published in the referenced advisories. The mechanism is documented in the GitHub Security Advisory.
Detection Methods for CVE-2025-71370
Indicators of Compromise
- Pickle or PyTorch model files containing references to torch.jit.unsupported_tensor_ops.execWrapper
- Unexpected child processes spawned by Python interpreters immediately after pickle.load() or torch.load() calls
- Outbound network connections from ML training or inference hosts shortly after loading third-party model files
Detection Strategies
- Statically grep candidate pickle files for the byte sequence unsupported_tensor_ops and execWrapper before loading
- Run an updated picklescan version 0.0.28 or later as a pre-load gate in CI pipelines and model registries
- Compare process trees of Python workers against a baseline to flag deserialization-triggered command execution
Monitoring Recommendations
- Log every invocation of pickle.load, pickle.loads, and torch.load with the originating file hash and user context
- Alert on Python processes spawning shells, curl, wget, or compilers in environments dedicated to model serving
- Track installed picklescan versions across build agents and developer workstations to confirm patch coverage
How to Mitigate CVE-2025-71370
Immediate Actions Required
- Upgrade picklescan to version 0.0.28 or later across all developer, CI, and production environments
- Re-scan any third-party pickle or PyTorch model files ingested before the upgrade using the patched scanner
- Treat any model files that previously passed picklescan from untrusted sources as suspect until re-validated
Patch Information
The maintainers fixed the issue in picklescan0.0.28 by adding torch.jit.unsupported_tensor_ops.execWrapper to the scanner's set of dangerous globals. Patch details are available in the GitHub Security Advisory GHSA-vr7h-p6mm-wpmh.
Workarounds
- Refuse to load pickle files from untrusted sources and prefer safer formats such as safetensors for model weights
- Sandbox pickle.load() and torch.load() operations inside containers with no network egress and minimal filesystem access
- Enforce signature verification on model artifacts before any deserialization step in the pipeline
# Upgrade picklescan to the fixed release
pip install --upgrade 'picklescan>=0.0.28'
# Verify the installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
# Scan a model file before loading
picklescan --path suspicious_model.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

