CVE-2025-71356: picklescan Deserialization Vulnerability Leads to RCE
A critical deserialization vulnerability (CVE-2025-71356) in `picklescan` versions prior to 0.0.28 allows attackers to embed undetected malicious code within Python pickle files, leading to remote code execution when these files are loaded by victims.
CVE-2025-71356 describes a critical deserialization vulnerability impacting picklescan versions before 0.0.28. This vulnerability arises because the library fails to properly detect malicious torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function calls embedded within Python pickle files. Attackers can leverage this flaw to craft specially designed pickle files that, when loaded by a victim's application utilizing picklescan, execute arbitrary code. The issue allows for pre-payload code execution without detection, bypassing the intended security scanning capabilities of picklescan. This could allow threat actors to deliver malware, establish persistence, or exfiltrate data through seemingly benign data files, posing a significant risk to machine learning and data science environments that frequently exchange pickle files.
Attack Chain
- An attacker crafts a malicious Python
picklefile containing a specially constructedtorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expressioncall that includes arbitrary code. - The attacker delivers this malicious
picklefile to a target system, potentially via email, compromised data repositories, or untrusted downloads. - A Python application on the victim's system attempts to load or process the
picklefile. - If the
picklescanlibrary is used to scan the file for malicious content, it fails to detect the embedded arbitrary code within thetorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expressioncall. - During the standard Python
pickledeserialization process, the vulnerableevaluate_guards_expressioncall is executed. - The embedded arbitrary code payload is then executed on the victim's system, leading to remote code execution, granting the attacker control over the compromised system.
Impact
Successful exploitation of CVE-2025-71356 can lead to complete system compromise through remote code execution. Victims, particularly those in data science, machine learning, and AI sectors that frequently handle pickle files from various sources, are at risk. Attackers could exploit this to deploy ransomware, establish backdoors, steal sensitive intellectual property, or use the compromised system as a pivot point for further network penetration. The undetected nature of the malicious code within the pickle file bypasses security controls, making this a high-impact vulnerability.
Recommendation
- Upgrade
picklescanto version 0.0.28 or later immediately to mitigate CVE-2025-71356. - Implement strict input validation and source verification for all Python
picklefiles loaded in your environment, especially those originating from untrusted sources, even after upgradingpicklescan. - Review your software supply chain for components that use or process
picklefiles to identify and update any vulnerable instances ofpicklescan.