CVE-2025-71373 Overview
CVE-2025-71373 affects picklescan versions prior to 0.0.33, a security scanner used to inspect Python pickle files for malicious content. The scanner fails to detect operator.methodcaller function calls embedded in pickle payloads. Attackers can craft malicious pickle files that invoke operator.methodcaller to execute arbitrary code when deserialized, while bypassing picklescan validation. Systems relying on picklescan to vet machine learning models or serialized objects from untrusted sources are exposed to remote code execution. This weakness is categorized under [CWE-693: Protection Mechanism Failure].
Critical Impact
Attackers can bypass picklescan static analysis and achieve arbitrary code execution when a malicious pickle file is loaded, compromising ML pipelines and any workflow that treats scanned pickles as safe.
Affected Products
- picklescan versions before 0.0.33
- Python applications and ML pipelines using picklescan to validate pickle files
- Model hubs and CI/CD workflows that gate pickle artifacts on picklescan output
Discovery Timeline
- 2026-07-04 - CVE-2025-71373 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2025-71373
Vulnerability Analysis
Python's pickle module reconstructs objects by executing opcodes that reference callables in the target interpreter. picklescan maintains an allow/deny model of callables considered dangerous, blocking known code-execution primitives such as os.system, subprocess.Popen, and builtins.eval. The scanner does not flag operator.methodcaller, an equally powerful primitive in the operator module.
operator.methodcaller(name, *args) returns a callable that invokes the named method on any object passed to it. When combined with a target object supplied through the pickle stream, an attacker can invoke arbitrary methods, including those that spawn processes or write files. The bypass reduces picklescan to a false sense of assurance for downstream consumers.
Exploitation requires the victim to load the malicious pickle, which qualifies as a passive user interaction. No authentication is required, and the attack is deliverable over the network via model repositories, shared datasets, or supply-chain distribution channels. The current EPSS probability is 0.444%.
Root Cause
The root cause is an incomplete deny list inside picklescan. The scanner enumerates known dangerous imports but omits operator.methodcaller, allowing malicious pickles that use this primitive to pass validation. The design assumes a finite, curated list of hazardous callables rather than restricting execution to a safe allow list.
Attack Vector
An attacker publishes a crafted pickle file, typically packaged as a machine learning model or serialized dataset, to a location a victim will consume. The victim runs picklescan and receives a clean result. When the victim subsequently loads the pickle with pickle.load or torch.load, the REDUCE opcode triggers the attacker-controlled operator.methodcaller chain, invoking arbitrary methods on attacker-supplied objects and executing code in the victim process. See the VulnCheck Advisory on Picklescan and the GitHub Security Advisory for technical details.
// No verified public exploit code is included.
// See the referenced advisories for proof-of-concept details.
Detection Methods for CVE-2025-71373
Indicators of Compromise
- Presence of the byte sequence corresponding to operator\nmethodcaller in pickle files scanned or stored by the environment
- picklescan output reporting a clean scan on files that later spawn child processes when loaded
- Unexpected process creation, network egress, or file writes originating from Python interpreters loading pickle or model files
- Pickle artifacts sourced from external model hubs whose SHA-256 hashes do not match a vetted internal registry
Detection Strategies
- Statically inspect pickle files for GLOBAL opcodes referencing the operator module, particularly methodcaller, attrgetter, and itemgetter
- Run picklescan version 0.0.33 or later, which adds detection for the operator.methodcaller bypass
- Execute pickle loads in a sandboxed environment and monitor for syscalls that indicate code execution
- Correlate model file ingestion events with subsequent process, network, and file activity to identify anomalous chains
Monitoring Recommendations
- Log all invocations of pickle.load, pickle.loads, torch.load, and joblib.load with the source path and initiating user
- Alert on Python processes spawning shells (/bin/sh, bash, cmd.exe, powershell.exe) shortly after loading pickle or model files
- Track version pinning of picklescan across CI/CD pipelines and reject builds using vulnerable releases
How to Mitigate CVE-2025-71373
Immediate Actions Required
- Upgrade picklescan to version 0.0.33 or later across all developer workstations, CI/CD runners, and model validation services
- Re-scan any pickle or model artifacts admitted based on prior picklescan results, particularly those from external sources
- Restrict pickle loading to trusted, internally-produced artifacts and prefer safer formats such as safetensors for model weights
- Isolate any workflow that must load untrusted pickles inside a network-restricted sandbox with minimal filesystem privileges
Patch Information
The maintainers released picklescan0.0.33, which adds detection for operator.methodcaller invocations in pickle streams. Consult the GitHub Security Advisory for the full fix description and upgrade guidance.
Workarounds
- Refuse pickle artifacts that reference the operator module in GLOBAL opcodes until upgrade is complete
- Convert model weights from pickle-based formats to safetensors where feasible to remove the deserialization attack surface
- Enforce cryptographic signing and hash pinning of internal pickle artifacts to prevent substitution
# Upgrade picklescan to the fixed release
pip install --upgrade 'picklescan>=0.0.33'
# Verify the installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
# Quick pre-load triage for pickle files
python -m picklescan --path /path/to/model.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

