Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71371

CVE-2025-71371: picklescan RCE Vulnerability

CVE-2025-71371 is a remote code execution vulnerability in picklescan before version 0.0.29 that allows attackers to bypass detection and execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71371 Overview

CVE-2025-71371 is an insecure deserialization vulnerability [CWE-502] affecting picklescan versions before 0.0.29. The scanner fails to detect malicious pickle files that abuse code.InteractiveInterpreter.runcode inside __reduce__ methods. Attackers craft pickle payloads that pass through picklescan static analysis undetected, then execute arbitrary Python code the moment a victim invokes pickle.load(). The flaw undermines the primary purpose of picklescan, which is used across the machine learning ecosystem to vet untrusted model files distributed on hubs such as Hugging Face.

Critical Impact

Attackers can deliver weaponized pickle or model files that bypass picklescan scanning and achieve remote code execution when loaded by developers or ML pipelines.

Affected Products

  • picklescan versions prior to 0.0.29
  • Python machine learning pipelines that rely on picklescan to vet pickle or PyTorch model files
  • Model hosting and CI/CD workflows integrating picklescan as a pre-load safety check

Discovery Timeline

  • 2026-06-30 - CVE-2025-71371 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2025-71371

Vulnerability Analysis

Python's pickle module executes callables referenced by an object's __reduce__ method during deserialization. picklescan maintains an allowlist and denylist of imports and callables considered dangerous, blocking modules like os, subprocess, and builtins.eval. The scanner did not include code.InteractiveInterpreter.runcode in its denylist. That callable accepts a compiled code object and executes it inside an interactive interpreter, giving an attacker equivalent power to exec() without invoking any flagged symbol.

Because the malicious opcode sequence references only code.InteractiveInterpreter and compile, static inspection of the pickle stream returns a clean verdict. When a downstream consumer subsequently calls pickle.load() on the file, the reducer runs the attacker-supplied code with the privileges of the loading process.

Root Cause

The root cause is an incomplete denylist in picklescan. The scanner enumerates known dangerous imports but omitted the code standard library module, which exposes InteractiveInterpreter.runcode as a viable code-execution primitive. Denylist-based validation of a Turing-complete serialization format is inherently fragile, and any missing entry produces a full bypass.

Attack Vector

An attacker publishes a malicious pickle or PyTorch model file to a public repository, model hub, or shared storage location. A victim runs picklescan against the file, which reports no dangerous imports. The victim then loads the file with pickle.load(), torch.load(), or joblib.load(), at which point the reducer invokes code.InteractiveInterpreter().runcode(compile(<payload>, '<string>', 'exec')). The payload runs with the identity of the loading user, enabling credential theft, model poisoning, or lateral movement. Refer to the VulnCheck advisory on picklescan and the GitHub Security Advisory for full technical details.

Detection Methods for CVE-2025-71371

Indicators of Compromise

  • Pickle or model files whose opcode stream references code.InteractiveInterpreter, code.compile_command, or arbitrary uses of the code standard library module
  • Python processes spawning child interpreters or shells immediately after calls to pickle.load, torch.load, or joblib.load
  • Unexpected outbound network connections initiated by data-science workloads shortly after model loading

Detection Strategies

  • Inspect pickle files with tooling that enumerates every GLOBAL and STACK_GLOBAL opcode, flagging any import outside a strict allowlist rather than relying on denylists
  • Hunt for the byte sequence corresponding to code\nInteractiveInterpreter inside files with .pkl, .bin, .pt, or .ckpt extensions
  • Correlate model-loading events with subsequent process creation, file writes to sensitive paths, and outbound connections

Monitoring Recommendations

  • Log and alert on picklescan versions in use across build and inference environments, treating any version below 0.0.29 as vulnerable
  • Instrument Python ML services to record child process creation and DNS lookups originating from loader threads
  • Monitor model registries and artifact stores for newly uploaded pickle files and route them through an updated scanner before publication

How to Mitigate CVE-2025-71371

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later across developer workstations, CI runners, and production ML pipelines
  • Rescan any pickle or model artifact previously cleared by an older picklescan build, especially files sourced from public hubs
  • Restrict who can publish or overwrite model artifacts in internal registries and require signed provenance metadata

Patch Information

The maintainers addressed the bypass in picklescan0.0.29 by extending the denylist to cover code.InteractiveInterpreter and related callables. Details are documented in the GitHub Security Advisory GHSA-cj3c-v495-4xqh. Install the fixed release with pip install --upgrade picklescan>=0.0.29.

Workarounds

  • Prefer safer serialization formats such as safetensors for model weight distribution and reserve pickle for fully trusted internal data
  • Load untrusted pickle files inside sandboxed environments with no network access, read-only file systems, and minimal privileges
  • Combine picklescan with additional inspection tools and require multi-tool consensus before any external model is loaded in production
bash
# Upgrade picklescan and verify the installed version
pip install --upgrade 'picklescan>=0.0.29'
python -c "import picklescan, sys; print(picklescan.__version__)"

# Scan a model file before loading
picklescan --path ./suspicious_model.pkl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.