CVE-2025-71345: Picklescan Malicious Pickle File Detection Bypass Leading to RCE
CVE-2025-71345 describes a critical vulnerability in `picklescan` versions prior to 0.0.30, where attackers can embed undetected malicious code within pickle files that specifically invoke the `torch.utils.bottleneck.__main__.run_autograd_prof` function, leading to remote code execution upon deserialization by bypassing `picklescan`'s security checks.
CVE-2025-71345 identifies a significant vulnerability affecting picklescan versions released before 0.0.30. This flaw enables threat actors to craft malicious pickle files containing embedded code that picklescan fails to detect, specifically when the code leverages the torch.utils.bottleneck.__main__.run_autograd_prof function. By exploiting this oversight, attackers can bypass the intended security scanning mechanisms of picklescan and achieve remote code execution (RCE) on systems that deserialize these specially crafted files. This vulnerability presents a high risk as it allows for undetectable arbitrary code execution, undermining the integrity and security of applications relying on picklescan for safe deserialization of Python objects, particularly in machine learning environments where pickle files are commonly used for model persistence.
Attack Chain
The provided source describes a vulnerability in picklescan's detection capabilities rather than a multi-stage attack chain in the wild. The exploitation scenario primarily involves the delivery and deserialization of a specially crafted malicious file. Therefore, a multi-step attack chain as observed in active campaigns cannot be accurately constructed from this information.
However, the core exploitation flow is as follows:
- Initial Access: An attacker delivers a malicious pickle file to a victim system (e.g., via email, download from an untrusted source, or compromised data pipeline).
- Defense Evasion (Bypass
picklescan): The malicious pickle file is crafted to invoke thetorch.utils.bottleneck.__main__.run_autograd_proffunction, whichpicklescanversions < 0.0.30 fail to identify as malicious. - Deserialization: The victim application or system attempts to load and deserialize the seemingly benign pickle file, potentially after a failed
picklescancheck. - Arbitrary Code Execution: During the deserialization process, the embedded malicious code within the pickle file is executed in the context of the application.
- Impact: The executed code performs actions determined by the attacker, such as system compromise, data exfiltration, or further malware deployment.
Impact
The successful exploitation of CVE-2025-71345 results in unauthenticated remote code execution on systems that process untrusted pickle files with vulnerable versions of picklescan. This allows attackers to bypass security measures, gain full control over the affected system, steal sensitive data, deploy ransomware, or establish persistence within the network. The vulnerability has a CVSS v3.1 base score of 8.1 (High), underscoring the severe consequences of exploitation, particularly in environments handling machine learning models or other serialized Python objects where picklescan is deployed for security scanning.
Recommendation
- Patch CVE-2025-71345 immediately: Update
picklescanto version 0.0.30 or newer to mitigate the vulnerability and ensure proper detection of malicious pickle files. - Implement Secure Deserialization Practices: Restrict the deserialization of pickle files from untrusted or unverified sources, as described by CWE-502.
- Educate Users: Train users and developers about the risks associated with handling untrusted serialized data, including pickle files.