CVE-2025-71376 Overview
CVE-2025-71376 affects picklescan versions before 0.0.29, a security scanner designed to detect malicious Python pickle files. The tool fails to identify pickle payloads that abuse idlelib.autocomplete.AutoComplete.fetch_completions within __reduce__ methods. Attackers can craft pickle files that bypass scanner checks and execute arbitrary commands when victims deserialize the files. This weakness maps to CWE-502: Deserialization of Untrusted Data and primarily threatens machine learning workflows that distribute model weights as pickle artifacts.
Critical Impact
Attackers can ship pickle files that pass picklescan validation yet execute arbitrary code on the victim host during model loading.
Affected Products
- picklescan versions prior to 0.0.29
- Machine learning pipelines that rely on picklescan to vet third-party model files
- Applications loading pickle files validated only by vulnerable picklescan releases
Discovery Timeline
- 2026-06-23 - CVE-2025-71376 published to the National Vulnerability Database
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-71376
Vulnerability Analysis
picklescan inspects pickle byte streams for references to dangerous callables before allowing deserialization. The scanner maintains denylists of known unsafe modules and functions such as os.system, subprocess.Popen, and similar primitives. Version 0.0.28 and earlier do not include idlelib.autocomplete.AutoComplete.fetch_completions in this denylist. The fetch_completions method internally evaluates expressions, which an attacker can leverage to execute arbitrary Python code. By placing this callable inside a __reduce__ method, a malicious actor produces a pickle file that the scanner reports as safe.
Root Cause
The root cause is an incomplete denylist within picklescan. The scanner classifies pickles by enumerating GLOBAL and STACK_GLOBAL opcodes and matching them against a static set of dangerous symbols. Because idlelib.autocomplete.AutoComplete.fetch_completions is not part of the Python standard library's typical attack surface, maintainers did not include it. This allowlist-by-omission design fails open whenever the broader Python ecosystem exposes a new code-execution sink.
Attack Vector
Exploitation requires the victim to download and load an attacker-supplied pickle file, typically a machine learning model from a public repository. The attacker constructs a class whose __reduce__ returns a tuple invoking idlelib.autocomplete.AutoComplete.fetch_completions with an attacker-controlled expression. The victim runs picklescan against the file, receives a clean verdict, and then calls pickle.load or torch.load. Deserialization triggers the embedded callable and executes the attacker's payload under the victim's user context. Refer to the GitHub Security Advisory GHSA-7cq8-mj8x-j263 and the VulnCheck Advisory on Picklescan for additional technical context.
Detection Methods for CVE-2025-71376
Indicators of Compromise
- Pickle files that import idlelib.autocomplete or reference AutoComplete.fetch_completions
- Unexpected child processes spawned by Python interpreters loading model files
- Outbound network connections initiated by Python processes immediately after pickle.load or torch.load calls
- Modifications to user startup files or scheduled tasks following ML model ingestion
Detection Strategies
- Inspect pickle byte streams for GLOBAL opcodes referencing idlelib modules, which have no legitimate role in serialized ML artifacts
- Run pickle files through picklescan0.0.29 or later, which adds the missing denylist entry
- Use multiple independent scanners such as fickling alongside picklescan to reduce single-tool blind spots
Monitoring Recommendations
- Log all process executions spawned by Python interpreters that load externally sourced pickle or model files
- Alert on Python processes invoking shell utilities, network clients, or credential stores shortly after deserialization
- Track picklescan version inventory across CI pipelines and developer workstations to confirm patched releases are in use
How to Mitigate CVE-2025-71376
Immediate Actions Required
- Upgrade picklescan to version 0.0.29 or later across all environments
- Re-scan any third-party pickle or PyTorch model files previously validated with vulnerable picklescan releases
- Restrict pickle loading to files originating from trusted, signed sources only
- Run model deserialization inside sandboxed environments with no outbound network access or sensitive credentials
Patch Information
The maintainers addressed the issue in picklescan0.0.29 by adding idlelib.autocomplete.AutoComplete.fetch_completions to the unsafe-symbol denylist. Details are published in the GitHub Security Advisory GHSA-7cq8-mj8x-j263.
Workarounds
- Avoid loading pickle files from untrusted sources and prefer safer formats such as safetensors for model weights
- Add a custom denylist entry for idlelib.autocomplete if upgrading picklescan is not immediately feasible
- Execute pickle loading operations inside containers or virtual machines with minimal privileges and no persistent secrets
# Upgrade picklescan to the patched release
pip install --upgrade 'picklescan>=0.0.29'
# Verify installed version
python -c "import picklescan, importlib.metadata as m; print(m.version('picklescan'))"
# Scan a model file before loading
picklescan --path ./model.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

