Skip to content
Threat Feed
high advisory

CVE-2025-71362 — picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functio...

picklescan versions prior to 0.0.33 are vulnerable to unsafe deserialization via CVE-2025-71362, allowing attackers to embed malicious code in pickle files that executes due to `numpy.f2py.crackfortran` calling `eval` on arbitrary strings when loaded from untrusted sources, leading to arbitrary code execution.

A critical vulnerability, CVE-2025-71362, has been identified in picklescan versions prior to 0.0.33. This issue stems from picklescan's failure to adequately detect unsafe deserialization patterns within numpy.f2py.crackfortran functions. Specifically, when these functions process data, they may call eval on arbitrary strings derived from pickle files, creating an arbitrary code execution vector. Attackers can craft malicious pickle files containing embedded code. If these untrusted files are subsequently loaded and processed by a vulnerable picklescan instance, the embedded malicious code will execute, granting the attacker control over the compromised system. This vulnerability poses a significant risk to applications and environments that handle or process pickle files from external or untrusted sources.

Attack Chain

  1. Vulnerability Identification: An attacker identifies a target system or application that uses picklescan (version < 0.0.33) to process Python pickle files.
  2. Malicious Pickle File Creation: The attacker crafts a specially designed pickle file that contains malicious Python code. This code is structured to exploit the unsafe deserialization flaw in numpy.f2py.crackfortran functions, ensuring that when the file is loaded, the eval function is called with the attacker's payload.
  3. Delivery: The attacker delivers the malicious pickle file to the victim. This could be via email (as an attachment), through a compromised web application, or by placing it in a location where the victim's application is expected to load files (e.g., a shared drive, an untrusted repository).
  4. User/Application Interaction: The victim's application or user, believing the pickle file to be legitimate or benign, initiates the loading process of the untrusted pickle file using the vulnerable picklescan library.
  5. Vulnerable Deserialization: During the deserialization process, the picklescan library invokes numpy.f2py.crackfortran functions. Due to the CVE-2025-71362 vulnerability, these functions call eval on the arbitrary malicious strings embedded within the pickle file.
  6. Arbitrary Code Execution: The eval call executes the attacker's embedded malicious code within the context of the vulnerable application, leading to arbitrary code execution on the host system.
  7. Impact on System: With arbitrary code execution, the attacker can achieve various objectives, such as data exfiltration, installation of malware, establishment of persistence, or full system compromise.

Impact

The successful exploitation of CVE-2025-71362 allows for arbitrary code execution on the system running the vulnerable picklescan instance. This means an attacker could gain full control over the affected system, potentially leading to complete data compromise, installation of ransomware, deployment of backdoors, or lateral movement within the network. While specific victim counts or targeted sectors are not detailed in the NVD advisory, any organization or developer using affected versions of picklescan to process untrusted Python pickle files is at risk. The consequences range from data breach and operational disruption to severe reputational damage.

Recommendation

  • Patch CVE-2025-71362: Immediately upgrade picklescan to version 0.0.33 or later to mitigate CVE-2025-71362.
  • Implement Input Validation: Ensure that all pickle files processed by applications are from trusted sources and implement strict validation before deserialization.
  • Isolate Processing: If processing untrusted pickle files is unavoidable, perform the deserialization in a highly isolated environment (e.g., a secure sandbox or virtual machine) to contain potential arbitrary code execution.