Skip to content
Threat Feed
high advisory

CVE-2025-71367: Picklescan Bypass Leading to Arbitrary Code Execution

Picklescan versions prior to 0.0.34 contain a deserialization vulnerability (CVE-2025-71367) that allows remote attackers to bypass security checks by crafting malicious pickle files using `_operator.attrgetter` in reduce methods, leading to arbitrary code execution when `pickle.load()` processes the file.

A critical vulnerability, CVE-2025-71367, has been identified in picklescan versions prior to 0.0.34. This security flaw stems from picklescan's inability to properly detect the use of _operator.attrgetter function calls when they are embedded within pickle payloads' reduce methods. This oversight allows remote attackers to effectively bypass picklescan's intended security checks, designed to prevent malicious deserialization. By crafting a specially designed pickle file that leverages this bypass, an attacker can achieve arbitrary code execution on systems that deserialize these files using pickle.load() while relying on the vulnerable picklescan version for security. This vulnerability exposes affected applications to severe compromise, including full system control and data exfiltration.

Attack Chain

  1. Attacker crafts a malicious Python pickle file containing carefully constructed bytecode.
  2. The malicious pickle payload specifically utilizes the _operator.attrgetter function within reduce methods to invoke arbitrary code.
  3. This specific structure is designed to evade the security detection mechanisms implemented in picklescan versions before 0.0.34.
  4. The attacker delivers this crafted pickle file to a victim system, potentially via email attachments, compromised package repositories, or malicious downloads.
  5. A vulnerable application on the victim system attempts to deserialize the malicious pickle file using Python's pickle.load() function.
  6. During the deserialization process, the integrated picklescan library (version < 0.0.34) fails to identify the embedded, malicious _operator.attrgetter calls as a threat.
  7. Due to picklescan's detection bypass, the deserialization process proceeds unchecked, leading to the execution of the arbitrary code defined within the malicious pickle payload.
  8. The attacker successfully achieves arbitrary code execution on the victim system, potentially leading to system compromise, data theft, or further lateral movement.

Impact

Successful exploitation of CVE-2025-71367 can lead to severe consequences for organizations utilizing picklescan versions before 0.0.34. Since the vulnerability allows for arbitrary code execution, attackers can gain full control over the compromised system, leading to unauthorized data access, modification, or destruction. This could result in significant data breaches, operational disruption, and reputational damage. While specific victim counts are not available, any system processing untrusted pickle files with vulnerable picklescan versions is at risk, particularly those in data science, machine learning, or software development pipelines where pickle is frequently used for object serialization.

Recommendation

  • Immediately update picklescan to version 0.0.34 or higher to remediate CVE-2025-71367.
  • Ensure all applications and services that handle pickle files are using the patched picklescan library.
  • Implement secure deserialization practices, avoiding pickle.load() of untrusted data even with security scanning, as illustrated by CVE-2025-71367.