Skip to content
Threat Feed
high advisory

CVE-2025-71347: Picklescan Bypass Leads to Arbitrary Code Execution via Malicious Pickle Files

A critical vulnerability (CVE-2025-71347) exists in picklescan prior to version 0.0.33, allowing remote attackers to bypass security checks by failing to detect malicious pickle files leveraging the numpy.f2py.crackfortran.param_eval function, leading to arbitrary code execution upon deserialization of untrusted data.

A critical vulnerability, CVE-2025-71347, has been identified in the picklescan library prior to version 0.0.33. This flaw specifically impacts the library's ability to detect malicious pickle files that leverage the numpy.f2py.crackfortran.param_eval function within their reduce methods during deserialization. Remote attackers can exploit this bypass to embed arbitrary code within seemingly legitimate pickle files. When an application loads and deserializes such an untrusted, malicious pickle file, the embedded code executes, granting the attacker arbitrary code execution capabilities. This vulnerability is significant for organizations that process or scan Python pickle files, as it allows sophisticated bypasses of security tooling, potentially leading to system compromise through a trusted deserialization process. The issue stems from inadequate sanitization or detection logic within picklescan when encountering specific NumPy functions, highlighting the persistent risk of deserialization vulnerabilities in Python ecosystems.

Attack Chain

  1. Payload Crafting: An attacker crafts a malicious Python pickle file, embedding a call to numpy.f2py.crackfortran.param_eval with attacker-controlled arguments within the pickle's reduce method.
  2. Delivery: The attacker delivers the specially crafted malicious pickle file to a target system. This delivery can occur via various means such as email attachments, file downloads, or through compromised data repositories.
  3. Defense Bypass: If the target system uses picklescan versions prior to 0.0.33 to inspect the file, the vulnerability (CVE-2025-71347) causes picklescan to fail to detect the malicious code embedded via numpy.f2py.crackfortran.param_eval.
  4. Execution Trigger: A vulnerable application on the victim's system, designed to process Python pickle data, attempts to load and deserialize the untrusted, now undetected, malicious pickle file.
  5. Arbitrary Code Execution: During the deserialization process, the embedded numpy.f2py.crackfortran.param_eval function is invoked by the Python interpreter, leading to the execution of arbitrary code defined by the attacker.
  6. Impact: The attacker gains control over the application's process with the privileges of the running application, potentially allowing for data exfiltration, further system compromise, or persistence.

Impact

Successful exploitation of CVE-2025-71347 results in arbitrary code execution, enabling attackers to fully compromise the affected application and potentially the underlying system. This can lead to sensitive data exfiltration, installation of additional malware, privilege escalation, and complete control over the compromised environment. While the NVD advisory does not specify observed victims or targeted sectors, any organization that uses picklescan to validate Python pickle files or deserializes untrusted pickle data is at risk of severe impact, including financial loss, operational disruption, and reputational damage.

Recommendation

  • Upgrade picklescan to version 0.0.33 or later immediately to patch CVE-2025-71347.
  • Implement strict input validation and deserialization policies to prevent applications from loading untrusted pickle files, even if scanned by older picklescan versions.
  • Refer to the advisory links provided in the references section for more detailed information about CVE-2025-71347 and mitigation strategies.
  • Ensure all applications processing pickle data are isolated in sandboxed environments to minimize the blast radius of potential arbitrary code execution.

Indicators of compromise

2

url

TypeValue
urlhttps://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4
urlhttps://www.vulncheck.com/advisories/picklescan-undetected-remote-code-execution-via-numpy-f2py-crackfortran-param-eval