CVE-2025-71374 Overview
CVE-2025-71374 affects picklescan versions before 0.0.29, a Python library used to inspect pickle files for malicious content. The scanner fails to detect the built-in profile.Profile.run function when it is referenced inside pickle reduce methods. Attackers can craft malicious pickle files that evade picklescan detection and execute arbitrary code during deserialization. The flaw maps to CWE-502: Deserialization of Untrusted Data. Machine learning pipelines that rely on picklescan to vet third-party model files are directly exposed.
Critical Impact
Remote attackers can achieve arbitrary code execution on any host that loads a crafted pickle file previously cleared by picklescan before version 0.0.29.
Affected Products
- picklescan versions prior to 0.0.29
- Python applications and ML pipelines that depend on picklescan for pickle vetting
- Model hubs and workflows that ingest third-party pickle or PyTorch artifacts scanned by vulnerable versions
Discovery Timeline
- 2026-06-30 - CVE-2025-71374 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2025-71374
Vulnerability Analysis
picklescan maintains a denylist of dangerous Python callables that can trigger code execution when invoked through the pickle protocol. The library inspects the opcodes of a pickle stream and flags references to known unsafe functions. Version 0.0.29 and earlier omit profile.Profile.run from that denylist. Because profile.Profile.run accepts a string of Python source code and executes it, an attacker can wrap malicious code in a __reduce__ method that returns this function together with the payload. The pickle scanner processes the file, does not match any known bad symbol, and returns a clean verdict. The pickle is then loaded downstream, at which point the interpreter invokes profile.Profile.run(payload) and runs the attacker-supplied code.
Root Cause
The root cause is an incomplete allow/deny list inside picklescan. Detection depends on enumerating every stdlib function capable of executing code, and profile.Profile.run was missing from that inventory. Any object returned from __reduce__ referencing this callable evades static analysis.
Attack Vector
Exploitation requires a target to deserialize an untrusted pickle file that was scanned by a vulnerable picklescan release. Typical delivery paths include model weights hosted on public repositories, dataset caches, and shared artifacts in ML pipelines. Successful deserialization runs arbitrary Python code with the privileges of the loading process. User interaction is limited to opening or loading the model, which is standard behavior in most ML tooling.
No verified public proof-of-concept is linked in the advisory. Technical details are available in the GitHub Security Advisory GHSA-x696-vm39-cp64 and the VulnCheck Arbitrary Code Execution Advisory.
Detection Methods for CVE-2025-71374
Indicators of Compromise
- Pickle files containing opcodes that resolve to the profile.Profile.run global reference (c opcode followed by profile\nProfile.run).
- Python processes spawning unexpected child processes (sh, bash, cmd.exe, powershell.exe) immediately after a pickle.load, torch.load, or joblib.load call.
- Outbound network connections initiated by Python worker processes shortly after model or dataset ingestion.
Detection Strategies
- Statically scan pickle artifacts for references to profile.Profile.run, pdb.run, bdb.Bdb.run, and other stdlib runners that accept source strings.
- Upgrade picklescan to 0.0.29 or later and re-scan any previously vetted pickle inventory.
- Instrument pickle.Unpickler.find_class in ingestion services to log every module and callable resolved during deserialization.
Monitoring Recommendations
- Alert on Python interpreters loading pickles from network shares, object storage, or user-writable directories.
- Correlate model-loading events with subsequent process creation, file writes to autostart locations, and outbound connections to non-corporate destinations.
- Track versions of picklescan across CI/CD pipelines and developer workstations to identify hosts still running vulnerable releases.
How to Mitigate CVE-2025-71374
Immediate Actions Required
- Upgrade picklescan to version 0.0.29 or later across all environments that scan pickle files.
- Re-scan pickle artifacts and model files previously cleared by earlier picklescan versions.
- Quarantine pickle files originating from untrusted sources until they can be re-evaluated.
Patch Information
The issue is fixed in picklescan 0.0.29, which adds profile.Profile.run to the set of dangerous globals detected during scanning. Refer to the GitHub Security Advisory GHSA-x696-vm39-cp64 for the exact fix commit and release notes.
Workarounds
- Avoid loading pickle files from untrusted sources; prefer safer serialization formats such as safetensors for model weights.
- Load pickles inside sandboxed environments with no network egress and least-privilege file system access.
- Implement a custom Unpickler that restricts find_class to an explicit allowlist of expected classes.
# Upgrade picklescan to the fixed release
pip install --upgrade 'picklescan>=0.0.29'
# Verify installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
# Rescan a directory of pickle artifacts
picklescan --path /path/to/models
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

