Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71376

CVE-2025-71376: picklescan RCE Vulnerability

CVE-2025-71376 is a remote code execution flaw in picklescan before version 0.0.29 that fails to detect malicious pickle files. Attackers can execute arbitrary commands when victims load these files.

Published:

CVE-2025-71376 Overview

CVE-2025-71376 affects picklescan versions before 0.0.29, a security scanner designed to detect malicious Python pickle files. The tool fails to identify pickle payloads that abuse idlelib.autocomplete.AutoComplete.fetch_completions within __reduce__ methods. Attackers can craft pickle files that bypass scanner checks and execute arbitrary commands when victims deserialize the files. This weakness maps to CWE-502: Deserialization of Untrusted Data and primarily threatens machine learning workflows that distribute model weights as pickle artifacts.

Critical Impact

Attackers can ship pickle files that pass picklescan validation yet execute arbitrary code on the victim host during model loading.

Affected Products

  • picklescan versions prior to 0.0.29
  • Machine learning pipelines that rely on picklescan to vet third-party model files
  • Applications loading pickle files validated only by vulnerable picklescan releases

Discovery Timeline

  • 2026-06-23 - CVE-2025-71376 published to the National Vulnerability Database
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2025-71376

Vulnerability Analysis

picklescan inspects pickle byte streams for references to dangerous callables before allowing deserialization. The scanner maintains denylists of known unsafe modules and functions such as os.system, subprocess.Popen, and similar primitives. Version 0.0.28 and earlier do not include idlelib.autocomplete.AutoComplete.fetch_completions in this denylist. The fetch_completions method internally evaluates expressions, which an attacker can leverage to execute arbitrary Python code. By placing this callable inside a __reduce__ method, a malicious actor produces a pickle file that the scanner reports as safe.

Root Cause

The root cause is an incomplete denylist within picklescan. The scanner classifies pickles by enumerating GLOBAL and STACK_GLOBAL opcodes and matching them against a static set of dangerous symbols. Because idlelib.autocomplete.AutoComplete.fetch_completions is not part of the Python standard library's typical attack surface, maintainers did not include it. This allowlist-by-omission design fails open whenever the broader Python ecosystem exposes a new code-execution sink.

Attack Vector

Exploitation requires the victim to download and load an attacker-supplied pickle file, typically a machine learning model from a public repository. The attacker constructs a class whose __reduce__ returns a tuple invoking idlelib.autocomplete.AutoComplete.fetch_completions with an attacker-controlled expression. The victim runs picklescan against the file, receives a clean verdict, and then calls pickle.load or torch.load. Deserialization triggers the embedded callable and executes the attacker's payload under the victim's user context. Refer to the GitHub Security Advisory GHSA-7cq8-mj8x-j263 and the VulnCheck Advisory on Picklescan for additional technical context.

Detection Methods for CVE-2025-71376

Indicators of Compromise

  • Pickle files that import idlelib.autocomplete or reference AutoComplete.fetch_completions
  • Unexpected child processes spawned by Python interpreters loading model files
  • Outbound network connections initiated by Python processes immediately after pickle.load or torch.load calls
  • Modifications to user startup files or scheduled tasks following ML model ingestion

Detection Strategies

  • Inspect pickle byte streams for GLOBAL opcodes referencing idlelib modules, which have no legitimate role in serialized ML artifacts
  • Run pickle files through picklescan0.0.29 or later, which adds the missing denylist entry
  • Use multiple independent scanners such as fickling alongside picklescan to reduce single-tool blind spots

Monitoring Recommendations

  • Log all process executions spawned by Python interpreters that load externally sourced pickle or model files
  • Alert on Python processes invoking shell utilities, network clients, or credential stores shortly after deserialization
  • Track picklescan version inventory across CI pipelines and developer workstations to confirm patched releases are in use

How to Mitigate CVE-2025-71376

Immediate Actions Required

  • Upgrade picklescan to version 0.0.29 or later across all environments
  • Re-scan any third-party pickle or PyTorch model files previously validated with vulnerable picklescan releases
  • Restrict pickle loading to files originating from trusted, signed sources only
  • Run model deserialization inside sandboxed environments with no outbound network access or sensitive credentials

Patch Information

The maintainers addressed the issue in picklescan0.0.29 by adding idlelib.autocomplete.AutoComplete.fetch_completions to the unsafe-symbol denylist. Details are published in the GitHub Security Advisory GHSA-7cq8-mj8x-j263.

Workarounds

  • Avoid loading pickle files from untrusted sources and prefer safer formats such as safetensors for model weights
  • Add a custom denylist entry for idlelib.autocomplete if upgrading picklescan is not immediately feasible
  • Execute pickle loading operations inside containers or virtual machines with minimal privileges and no persistent secrets
bash
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.29'

# Verify installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"

# Scan a model file before loading
picklescan --path ./model.pkl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.