Skip to content
Threat Feed
high advisory

CVE-2025-71360: Picklescan RCE via Undetected Malicious Pickle Files

A high-severity deserialization of untrusted data vulnerability (CVE-2025-71360) in picklescan versions before 0.0.29 allows attackers to embed undetected remote command execution code within malicious pickle files, leading to arbitrary code execution when loaded by victims.

CVE-2025-71360 describes a critical deserialization vulnerability impacting picklescan versions prior to 0.0.29, a Python library designed to detect malicious code within Python pickle files. Specifically, the flaw lies in picklescan's failure to detect malicious code embedded using the idlelib.calltip.get_entity function within pickle reduce methods. This oversight allows attackers to craft specially designed pickle files containing arbitrary Python code that bypasses picklescan's security checks. When a victim subsequently loads such a malicious pickle file, the embedded code is executed, enabling remote command execution (RCE) on the affected system. This vulnerability poses a significant risk to applications that process or scan untrusted pickle files, as it effectively nullifies the security benefits picklescan is intended to provide.

Attack Chain

  1. An attacker crafts a malicious Python pickle file containing arbitrary code, leveraging the idlelib.calltip.get_entity function within the pickle's __reduce__ method to embed their payload.
  2. The attacker distributes this specially crafted pickle file to a target system, potentially through email attachments, untrusted file downloads, or as part of a compromised data exchange.
  3. A victim receives and attempts to process or scan the untrusted pickle file using an affected version of the picklescan library (prior to 0.0.29).
  4. The picklescan library, when performing its security checks, fails to correctly identify and flag the malicious code embedded via idlelib.calltip.get_entity.
  5. The malicious pickle file is then loaded or deserialized by a Python application or script on the victim's system.
  6. During the deserialization process, the embedded code within the pickle file executes, leading to arbitrary remote command execution on the victim's system, granting the attacker control.

Impact

Successful exploitation of CVE-2025-71360 leads to arbitrary remote code execution on the victim's system. This can result in complete system compromise, allowing attackers to install malware, exfiltrate sensitive data, establish persistence, or pivot to other systems within the network. Organizations relying on picklescan for validating untrusted data could be unknowingly processing malicious content, leading to widespread compromise. The direct impact is the subversion of a security control, enabling attackers to bypass detection and execute their payloads.

Recommendation

  • Immediately update picklescan to version 0.0.29 or newer to remediate CVE-2025-71360.
  • Implement strict controls around the handling and loading of Python pickle files, treating all external or untrusted pickle files as potentially malicious.
  • Educate users and developers on the dangers of deserializing untrusted data and the importance of using secure deserialization alternatives or strict validation.
  • Consider deploying application-level sandboxing or isolation for processes that handle pickle file deserialization to limit the impact of potential RCE.