CVE-2025-71360: Picklescan RCE via Undetected Malicious Pickle Files
A high-severity deserialization of untrusted data vulnerability (CVE-2025-71360) in picklescan versions before 0.0.29 allows attackers to embed undetected remote command execution code within malicious pickle files, leading to arbitrary code execution when loaded by victims.
CVE-2025-71360 describes a critical deserialization vulnerability impacting picklescan versions prior to 0.0.29, a Python library designed to detect malicious code within Python pickle files. Specifically, the flaw lies in picklescan's failure to detect malicious code embedded using the idlelib.calltip.get_entity function within pickle reduce methods. This oversight allows attackers to craft specially designed pickle files containing arbitrary Python code that bypasses picklescan's security checks. When a victim subsequently loads such a malicious pickle file, the embedded code is executed, enabling remote command execution (RCE) on the affected system. This vulnerability poses a significant risk to applications that process or scan untrusted pickle files, as it effectively nullifies the security benefits picklescan is intended to provide.
Attack Chain
- An attacker crafts a malicious Python pickle file containing arbitrary code, leveraging the
idlelib.calltip.get_entityfunction within the pickle's__reduce__method to embed their payload. - The attacker distributes this specially crafted pickle file to a target system, potentially through email attachments, untrusted file downloads, or as part of a compromised data exchange.
- A victim receives and attempts to process or scan the untrusted pickle file using an affected version of the
picklescanlibrary (prior to 0.0.29). - The
picklescanlibrary, when performing its security checks, fails to correctly identify and flag the malicious code embedded viaidlelib.calltip.get_entity. - The malicious pickle file is then loaded or deserialized by a Python application or script on the victim's system.
- During the deserialization process, the embedded code within the pickle file executes, leading to arbitrary remote command execution on the victim's system, granting the attacker control.
Impact
Successful exploitation of CVE-2025-71360 leads to arbitrary remote code execution on the victim's system. This can result in complete system compromise, allowing attackers to install malware, exfiltrate sensitive data, establish persistence, or pivot to other systems within the network. Organizations relying on picklescan for validating untrusted data could be unknowingly processing malicious content, leading to widespread compromise. The direct impact is the subversion of a security control, enabling attackers to bypass detection and execute their payloads.
Recommendation
- Immediately update
picklescanto version 0.0.29 or newer to remediate CVE-2025-71360. - Implement strict controls around the handling and loading of Python pickle files, treating all external or untrusted pickle files as potentially malicious.
- Educate users and developers on the dangers of deserializing untrusted data and the importance of using secure deserialization alternatives or strict validation.
- Consider deploying application-level sandboxing or isolation for processes that handle pickle file deserialization to limit the impact of potential RCE.