CVE-2025-71378 Overview
CVE-2025-71378 is a security scanner bypass vulnerability in picklescan versions before 0.0.30. The tool fails to detect calls to the cProfile.runctx function inside pickle file reduce methods. Attackers can craft malicious pickle files that bypass picklescan static analysis and execute arbitrary code when the file is loaded via pickle.load(). The flaw is classified as CWE-502: Deserialization of Untrusted Data and primarily affects machine learning workflows that rely on picklescan to vet untrusted model artifacts before loading.
Critical Impact
Attackers can achieve remote code execution on systems that scan pickle files with picklescan and then load them, undermining the security control intended to block such payloads.
Affected Products
- picklescan versions prior to 0.0.30
- Machine learning pipelines that use picklescan to validate untrusted pickle or model files
- Downstream tools that bundle picklescan as a safety check before pickle.load()
Discovery Timeline
- 2026-06-21 - CVE-2025-71378 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2025-71378
Vulnerability Analysis
The Python pickle module supports arbitrary object reconstruction through the __reduce__ method, which returns a callable and arguments to invoke during deserialization. picklescan performs static inspection of pickle bytecode and maintains a denylist of dangerous callables such as os.system, subprocess.Popen, and eval. Any callable not on this list passes the scan. The cProfile.runctx function was omitted from the dangerous-callable set, even though it executes a Python statement string in a supplied namespace. An attacker who supplies cProfile.runctx as the reduce callable can pass arbitrary Python source as its first argument and have it executed during pickle.load().
Root Cause
The root cause is incomplete coverage of the Python standard library inside the picklescan denylist. cProfile.runctx(cmd, globals, locals) internally calls exec(cmd, globals, locals) under a profiler, which makes it functionally equivalent to exec for attacker purposes. Because the scanner did not flag cProfile.runctx, the pickle stream containing a REDUCE opcode pointing at this function was treated as benign.
Attack Vector
The attack requires the victim to download a malicious pickle or ML model file, scan it with picklescan, and then load it with pickle.load() or an equivalent deserialization API. User interaction is required to fetch and load the file. The malicious file contains a class with a __reduce__ method returning (cProfile.runctx, ("<attacker python>", {}, {})). Static scanning reports the file as safe, and code execution occurs at load time. No authentication is needed because the attack rides on user-supplied artifacts. Refer to the VulnCheck advisory and the GitHub Security Advisory GHSA-9w88-8rmg-7g2p for technical details. No verified proof-of-concept code is reproduced here.
Detection Methods for CVE-2025-71378
Indicators of Compromise
- Pickle or ML model files whose disassembly contains a GLOBAL opcode referencing cProfile and runctx followed by a REDUCE opcode.
- Python processes spawning unexpected child processes, network connections, or file writes immediately after a pickle.load() call.
- Presence of picklescan versions below 0.0.30 in CI/CD or model-validation pipelines.
Detection Strategies
- Run pickletools.dis() against untrusted pickle files and search the output for cProfile, runctx, exec, eval, or other indirect-execution primitives.
- Inventory Python environments for the installed picklescan version using pip show picklescan and flag any release before 0.0.30.
- Apply YARA or string-matching rules to pickle artifacts for byte sequences encoding cProfile\nruntcx and similar callables.
Monitoring Recommendations
- Log all invocations of pickle.load, pickle.loads, torch.load, and joblib.load in production services and correlate with subsequent process or network activity.
- Alert on Python interpreters that load untrusted artifacts and then execute shell utilities such as sh, bash, cmd.exe, or powershell.exe.
- Monitor model-registry and artifact-store downloads for files originating outside approved publishers.
How to Mitigate CVE-2025-71378
Immediate Actions Required
- Upgrade picklescan to version 0.0.30 or later across all developer, CI, and production environments.
- Re-scan any previously vetted pickle or ML model artifacts using the patched scanner before reusing them.
- Block ingestion of untrusted pickle files from public model hubs until validation pipelines are updated.
Patch Information
The maintainer addressed the issue in picklescan release 0.0.30 by extending the dangerous-callable list to include cProfile.runctx and related indirect-execution functions. Patch details are documented in GHSA-9w88-8rmg-7g2p. Update with pip install --upgrade picklescan>=0.0.30.
Workarounds
- Replace the pickle format with safer serialization such as safetensors for model weights or JSON for data interchange.
- Load untrusted pickle files only inside sandboxed, network-restricted containers with no access to credentials or production data.
- Pin model artifacts to cryptographically signed releases from trusted publishers and verify signatures before deserialization.
# Configuration example
pip install --upgrade 'picklescan>=0.0.30'
picklescan --path ./models/suspect.pkl
python -m pickletools ./models/suspect.pkl | grep -E 'cProfile|runctx|exec|eval|system'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

