Skip to content
Threat Feed
high advisory

CVE-2025-71366: Picklescan Deserialization Vulnerability Leads to RCE

A critical deserialization vulnerability (CVE-2025-71366) exists in picklescan versions prior to 0.0.28, allowing remote attackers to bypass safety checks by embedding malicious `torch.utils.bottleneck.__main__.run_cprofile` function calls in pickle files, leading to arbitrary code execution when victims load the crafted files.

A significant deserialization vulnerability, tracked as CVE-2025-71366, has been identified in picklescan versions predating 0.0.28. This flaw allows malicious actors to craft Python pickle files that include specific torch.utils.bottleneck.__main__.run_cprofile function calls. Critically, the picklescan library, designed to detect and prevent malicious code execution from untrusted pickle files, fails to properly identify these embedded calls. This bypass of security checks enables remote attackers to inject and execute arbitrary code. When a victim's system loads such a specially crafted and undetected malicious pickle file, the embedded code executes with the privileges of the application processing the file, leading to potential system compromise and data loss. This vulnerability is highly impactful due to the widespread use of pickle files in Python ecosystems for data serialization and the security trust placed in picklescan.

Attack Chain

  1. An attacker crafts a malicious Python pickle file containing a serialized object that leverages torch.utils.bottleneck.__main__.run_cprofile to embed arbitrary code.
  2. The attacker ensures the payload is specifically designed to bypass the detection mechanisms implemented in picklescan versions older than 0.0.28.
  3. The attacker delivers the crafted malicious pickle file to a target system, potentially through untrusted data ingestion, shared repositories, or direct download.
  4. A user or an automated process on the victim's system initiates the loading of the malicious pickle file using a Python application that integrates with the vulnerable picklescan library.
  5. During the scanning process, the vulnerable picklescan library (version < 0.0.28) fails to detect the malicious torch.utils.bottleneck.__main__.run_cprofile call due to the inherent deserialization vulnerability.
  6. Upon deserialization of the undetected malicious pickle file, the embedded arbitrary code is executed on the victim's system, achieving remote code execution.

Impact

Successful exploitation of CVE-2025-71366 results in arbitrary code execution on the victim's system, allowing attackers to take full control of the compromised machine. This can lead to unauthorized data access, modification, or exfiltration; installation of malware such as ransomware or backdoors; and further lateral movement within the network. While specific victim counts or targeted sectors are not provided in the source, any organization or individual processing untrusted pickle files with vulnerable versions of picklescan could be at risk, especially those in data science, machine learning, or research environments.

Recommendation

  • Patch CVE-2025-71366 immediately by upgrading picklescan to version 0.0.28 or later to address the deserialization vulnerability.
  • Implement strict validation and sandboxing for all incoming pickle files, especially those from untrusted sources, even after patching, as a defense-in-depth measure against similar deserialization flaws.