Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71375

CVE-2025-71375: picklescan RCE Vulnerability Explained

CVE-2025-71375 is a remote code execution vulnerability in picklescan before version 0.0.34 that allows attackers to bypass detection using crafted pickle payloads. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71375 Overview

CVE-2025-71375 affects picklescan versions before 0.0.34, a tool designed to detect malicious code inside Python pickle files. The scanner fails to flag the _operator.methodcaller built-in function when analyzing pickle payloads. Attackers can craft pickle files that use _operator.methodcaller to invoke arbitrary methods, bypassing static detection. When a downstream application deserializes the file with pickle.load(), the payload executes attacker-controlled code. This weakness is tracked as [CWE-502: Deserialization of Untrusted Data]. Machine learning workflows that rely on picklescan to vet third-party model checkpoints are the primary risk surface.

Critical Impact

Malicious pickle files pass picklescan inspection and achieve remote code execution when loaded, undermining a core defensive control for ML model supply chains.

Affected Products

  • picklescan versions prior to 0.0.34
  • Python applications relying on picklescan to validate untrusted pickle files
  • Machine learning pipelines scanning third-party model artifacts before pickle.load()

Discovery Timeline

  • 2026-07-04 - CVE-2025-71375 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2025-71375

Vulnerability Analysis

Python's pickle protocol allows serialized objects to reference callables that are executed during deserialization. Tools like picklescan protect users by inspecting the opcode stream and flagging references to dangerous built-ins such as os.system, subprocess.Popen, or builtins.eval. The scanner maintains an allow/deny list of module and attribute pairs considered unsafe.

The _operator.methodcaller callable, from Python's _operator C module, was omitted from the deny list. methodcaller(name)(obj) invokes obj.name(), enabling attackers to call arbitrary methods on arbitrary objects loaded earlier in the pickle stream. Combined with REDUCE opcodes, this primitive is sufficient for arbitrary code execution.

Root Cause

The root cause is an incomplete blocklist inside picklescan. The scanner enumerates known-dangerous globals but did not include _operator.methodcaller. Because pickle grants any listed global the ability to be invoked during unpickling, missing entries translate directly into detection gaps. This is characteristic of blocklist-based defenses against insecure deserialization.

Attack Vector

An attacker publishes a malicious pickle file, typically as a machine learning model checkpoint, on a public registry or model hub. A victim downloads the artifact and runs picklescan to verify safety. The scanner reports no findings because _operator.methodcaller is not in its detection ruleset. The victim then calls pickle.load() on the file, at which point the crafted methodcaller invocation executes attacker-chosen methods, achieving arbitrary code execution in the victim's Python process. Exploitation requires user interaction to load the file but no authentication or privileged access to the target system.

No verified public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory and the VulnCheck Advisory for technical details.

Detection Methods for CVE-2025-71375

Indicators of Compromise

  • Pickle files containing references to the _operator module or the methodcaller attribute in their opcode stream
  • picklescan scan reports returning clean results on pickle files that later spawn unexpected child processes
  • Python processes loading model checkpoints and immediately executing shells, network clients, or file system utilities

Detection Strategies

  • Statically parse pickle files with pickletools.dis() and alert on any GLOBAL or STACK_GLOBAL opcode referencing _operator.methodcaller, operator.methodcaller, or other unusual callables
  • Upgrade to picklescan 0.0.34 or later, which adds _operator.methodcaller to its detection rules
  • Run pickle.load() operations inside sandboxed or containerized environments where behavioral telemetry can flag unexpected process, file, and network activity

Monitoring Recommendations

  • Log all invocations of pickle.load, torch.load, and joblib.load against files sourced from external repositories
  • Alert on Python interpreters launching shells (sh, bash, cmd.exe, powershell.exe) shortly after model or dataset load events
  • Track outbound network connections initiated by ML training and inference workloads that deviate from baseline

How to Mitigate CVE-2025-71375

Immediate Actions Required

  • Upgrade picklescan to version 0.0.34 or later across all developer workstations, CI pipelines, and model validation services
  • Re-scan any pickle artifacts previously cleared by an older picklescan version before treating them as trusted
  • Treat pickle files from untrusted sources as executable code and refuse to load them without sandboxing

Patch Information

The maintainers of picklescan addressed the gap in version 0.0.34 by adding _operator.methodcaller to the set of dangerous globals detected during scanning. Update via pip install --upgrade picklescan>=0.0.34 and confirm the installed version with pip show picklescan. Details are available in the GitHub Security Advisory GHSA-955r-x9j8-7rhh.

Workarounds

  • Prefer safer serialization formats such as safetensors for machine learning weights instead of pickle
  • Load untrusted pickle files inside isolated containers with no network egress and restricted file system access
  • Implement a custom pickle.Unpickler.find_class allowlist that rejects any global outside a small, explicitly approved set
bash
# Upgrade picklescan and verify version
pip install --upgrade 'picklescan>=0.0.34'
pip show picklescan | grep -i version

# Disassemble a pickle file to inspect referenced globals
python -m pickletools -a suspicious_model.pkl | grep -Ei 'GLOBAL|_operator|methodcaller'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.