CVE-2025-71359: Picklescan Deserialization RCE Bypass
Picklescan versions prior to 0.0.29 are vulnerable to remote code execution (CVE-2025-71359) due to a failure in detecting malicious Python pickle payloads that utilize `lib2to3.pgen2.grammar.Grammar.loads`, allowing attackers to craft files that evade detection and execute arbitrary code during deserialization.
This brief addresses CVE-2025-71359, a high-severity vulnerability impacting picklescan versions before 0.0.29. The picklescan library, designed to detect malicious Python pickle payloads, fails to identify specific evasion techniques. Specifically, attackers can craft pickle files that embed dangerous code by leveraging lib2to3.pgen2.grammar.Grammar.loads within the __reduce__ method. These specially crafted payloads bypass picklescan's scrutiny. When an application subsequently deserializes such an untrusted pickle file using Python's pickle.load(), the embedded malicious code executes on the host system. This remote code execution (RCE) can grant attackers significant control over the compromised environment, allowing for data exfiltration, system modification, or further network penetration. The vulnerability highlights the inherent risks of deserializing untrusted data and the need for robust validation mechanisms.
Attack Chain
- Craft Malicious Pickle Payload: An attacker crafts a Python pickle file (
.pkl) embedding arbitrary code, specifically utilizinglib2to3.pgen2.grammar.Grammar.loadswithin the__reduce__method to achieve RCE. - Evade Security Scanner: The crafted malicious payload is designed to exploit the flaw in
picklescanversions prior to 0.0.29, allowing it to bypass its detection mechanisms. - Delivery of Malicious File: The attacker delivers the malicious pickle file to a target system. This could occur via various vectors, such as uploading to a vulnerable web application, attaching it to a phishing email, or injecting it into a compromised software supply chain.
- Target Application Processes Pickle File: A vulnerable application on the target system receives and attempts to deserialize the seemingly benign (undetected by
picklescan) malicious pickle file using Python'spickle.load()function. - Deserialization and Code Execution: During the deserialization process, the
__reduce__method within the pickle object is invoked, and the embeddedGrammar.loadsexecutes the attacker's arbitrary code. - Remote Code Execution (RCE): The attacker's code runs with the privileges of the vulnerable application, leading to remote code execution on the target system.
Impact
Successful exploitation of CVE-2025-71359 results in remote code execution (RCE) on the host system where the vulnerable picklescan library is used to validate and subsequently deserialize malicious pickle files. This level of access allows attackers to take complete control of the affected application and potentially the underlying server. Consequences can include unauthorized data access, modification, or deletion, installation of malware (e.g., ransomware, backdoors), lateral movement within the network, and complete system compromise. The severity of the impact depends on the privileges of the compromised application and the data it processes.
Recommendation
- Immediately update
picklescanto version 0.0.29 or newer to remediate CVE-2025-71359. - Implement strict input validation and sanitization for all incoming pickle files, regardless of
picklescanusage. - Adopt secure deserialization practices by never deserializing untrusted data. If deserialization is unavoidable, implement restricted unpickling environments, such as those that limit available classes and functions during
pickle.load().