Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71372

CVE-2025-71372: Picklescan RCE Vulnerability

CVE-2025-71372 is a remote code execution vulnerability in Picklescan before version 0.0.33 that allows attackers to bypass security checks and execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-71372 Overview

CVE-2025-71372 affects Picklescan versions before 0.0.33, a security scanner designed to detect malicious Python pickle files. The tool fails to identify the numpy.f2py.crackfortran.getlincoef gadget when invoked through pickle __reduce__ methods. Attackers can craft pickle files that execute arbitrary Python code while bypassing Picklescan's safety checks. This vulnerability enables supply-chain poisoning of shared machine learning model files distributed through public repositories. The flaw is classified under [CWE-502] Deserialization of Untrusted Data.

Critical Impact

Malicious pickle files can execute arbitrary Python code on systems loading them, evading Picklescan detection and enabling ML model supply-chain attacks.

Affected Products

  • Picklescan versions prior to 0.0.33
  • Python environments loading untrusted pickle files scanned by Picklescan
  • Machine learning pipelines relying on Picklescan for model file validation

Discovery Timeline

  • 2026-07-04 - CVE-2025-71372 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2025-71372

Vulnerability Analysis

Picklescan operates by inspecting pickle files for known dangerous imports and callables before deserialization. The scanner maintains a denylist of gadgets known to enable arbitrary code execution when triggered through pickle's __reduce__ protocol. The numpy.f2py.crackfortran.getlincoef function is missing from this denylist despite being exploitable as a code execution gadget.

When Python's pickle.load() processes a crafted payload, the __reduce__ method invokes getlincoef with attacker-controlled arguments. This gadget path leads to arbitrary Python execution within the loading process. Picklescan reports the file as safe, providing a false sense of security to downstream consumers.

Root Cause

The root cause is an incomplete denylist within Picklescan's detection logic. The scanner relies on enumeration of known dangerous callables rather than a strict allowlist approach. As new gadgets are discovered in dependencies such as numpy, any omission from the denylist creates a bypass. The numpy.f2py.crackfortran module contains Fortran parsing utilities not intended for use in serialization contexts.

Attack Vector

An attacker publishes a poisoned model file, such as a PyTorch checkpoint, to a public model registry or shared repository. The file contains a pickle payload that references numpy.f2py.crackfortran.getlincoef inside a __reduce__ method. A victim downloads the model, scans it with Picklescan, receives a clean report, and then loads the file. Deserialization triggers the gadget, executing attacker-supplied Python code with the privileges of the loading process. The vulnerability requires user interaction to load the file but no authentication.

The exploitation mechanism is documented in the GitHub Security Advisory GHSA-rrxm-2pvv-m66x and the VulnCheck Advisory on PickleScan.

Detection Methods for CVE-2025-71372

Indicators of Compromise

  • Pickle files containing references to numpy.f2py.crackfortran.getlincoef in their opcode stream
  • Unexpected child processes spawned by Python interpreters loading model files
  • Outbound network connections initiated shortly after torch.load() or pickle.load() calls
  • Model files sourced from untrusted repositories that pass Picklescan but exhibit anomalous runtime behavior

Detection Strategies

  • Inspect pickle files with pickletools.dis() to review opcodes for unexpected module imports before loading
  • Deploy allowlist-based unpicklers using pickle.Unpickler subclasses that reject any callable outside a fixed set
  • Correlate model file ingestion events with subsequent process creation and network telemetry in EDR data
  • Upgrade to Picklescan 0.0.33 or later and rescan previously validated artifacts

Monitoring Recommendations

  • Monitor Python processes for execve or CreateProcess calls originating from deserialization routines
  • Log all model file downloads from external sources and record their hashes for retrospective analysis
  • Alert on outbound connections from ML training and inference hosts to non-approved destinations
  • Track versions of Picklescan across CI/CD pipelines and enforce minimum version requirements

How to Mitigate CVE-2025-71372

Immediate Actions Required

  • Upgrade Picklescan to version 0.0.33 or later across all environments
  • Rescan any pickle or model files previously cleared by vulnerable Picklescan versions
  • Quarantine model files obtained from untrusted or unverified sources pending revalidation
  • Audit ML pipelines and container images for pinned versions of Picklescan below 0.0.33

Patch Information

The maintainers of Picklescan addressed this issue in version 0.0.33 by adding numpy.f2py.crackfortran.getlincoef and related gadgets to the scanner's detection ruleset. Refer to the GitHub Security Advisory GHSA-rrxm-2pvv-m66x for the full list of patched gadgets and upgrade instructions.

Workarounds

  • Prefer safer serialization formats such as safetensors for machine learning model distribution
  • Load pickle files only inside sandboxed environments with restricted filesystem and network access
  • Implement custom Unpickler classes that override find_class() to enforce a strict allowlist of permitted modules
  • Validate model file provenance through cryptographic signatures before loading, independent of Picklescan results
bash
# Upgrade Picklescan to the patched version
pip install --upgrade 'picklescan>=0.0.33'

# Verify the installed version
pip show picklescan | grep Version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.