Skip to content
Threat Feed
high advisory

CVE-2025-71356: picklescan Deserialization Vulnerability Leads to RCE

A critical deserialization vulnerability (CVE-2025-71356) in `picklescan` versions prior to 0.0.28 allows attackers to embed undetected malicious code within Python pickle files, leading to remote code execution when these files are loaded by victims.

CVE-2025-71356 describes a critical deserialization vulnerability impacting picklescan versions before 0.0.28. This vulnerability arises because the library fails to properly detect malicious torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function calls embedded within Python pickle files. Attackers can leverage this flaw to craft specially designed pickle files that, when loaded by a victim's application utilizing picklescan, execute arbitrary code. The issue allows for pre-payload code execution without detection, bypassing the intended security scanning capabilities of picklescan. This could allow threat actors to deliver malware, establish persistence, or exfiltrate data through seemingly benign data files, posing a significant risk to machine learning and data science environments that frequently exchange pickle files.

Attack Chain

  1. An attacker crafts a malicious Python pickle file containing a specially constructed torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression call that includes arbitrary code.
  2. The attacker delivers this malicious pickle file to a target system, potentially via email, compromised data repositories, or untrusted downloads.
  3. A Python application on the victim's system attempts to load or process the pickle file.
  4. If the picklescan library is used to scan the file for malicious content, it fails to detect the embedded arbitrary code within the torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression call.
  5. During the standard Python pickle deserialization process, the vulnerable evaluate_guards_expression call is executed.
  6. The embedded arbitrary code payload is then executed on the victim's system, leading to remote code execution, granting the attacker control over the compromised system.

Impact

Successful exploitation of CVE-2025-71356 can lead to complete system compromise through remote code execution. Victims, particularly those in data science, machine learning, and AI sectors that frequently handle pickle files from various sources, are at risk. Attackers could exploit this to deploy ransomware, establish backdoors, steal sensitive intellectual property, or use the compromised system as a pivot point for further network penetration. The undetected nature of the malicious code within the pickle file bypasses security controls, making this a high-impact vulnerability.

Recommendation

  • Upgrade picklescan to version 0.0.28 or later immediately to mitigate CVE-2025-71356.
  • Implement strict input validation and source verification for all Python pickle files loaded in your environment, especially those originating from untrusted sources, even after upgrading picklescan.
  • Review your software supply chain for components that use or process pickle files to identify and update any vulnerable instances of picklescan.