Skip to content
Threat Feed
high advisory

CVE-2025-71369: Picklescan Malicious Pickle Detection Bypass Leading to RCE

A critical vulnerability, CVE-2025-71369, in `picklescan` versions prior to 0.0.28 allows remote attackers to bypass safety checks for malicious Python pickle files that utilize specific `torch.utils.data.datapipes` methods, enabling undetected embedded malicious code to execute during deserialization, which results in remote code execution (RCE) on the victim's system.

CVE-2025-71369 addresses a critical flaw in picklescan versions released before 0.0.28, a tool designed to detect malicious Python pickle files. This vulnerability permits remote attackers to craft specially designed pickle files that leverage torch.utils.data.datapipes.utils.decoder.basichandlers within their __reduce__ methods. The picklescan library, when tasked with scanning such files, fails to identify the embedded malicious code, effectively bypassing its intended security checks. Consequently, when an affected application or system subsequently deserializes these "undetected" malicious pickle files, the embedded code is executed, leading to remote code execution (RCE). This poses a significant supply chain risk, as data scientists or ML engineers using vulnerable picklescan versions could inadvertently process compromised data, granting attackers control over their environments.

Attack Chain

  1. An attacker crafts a malicious Python pickle file by embedding arbitrary code within the __reduce__ method, specifically utilizing torch.utils.data.datapipes.utils.decoder.basichandlers to evade detection.
  2. The attacker distributes this malicious pickle file, potentially through compromised data repositories, malicious PyPI packages, or by sending it directly to a target.
  3. A victim organization or individual downloads and stores the seemingly benign pickle file, potentially as part of a dataset or machine learning model.
  4. The victim's environment, which integrates a vulnerable version of picklescan (prior to 0.0.28), processes or scans the downloaded pickle file.
  5. Due to CVE-2025-71369, picklescan fails to identify the malicious payload within the pickle file, allowing it to be treated as legitimate.
  6. A Python application or framework within the victim's environment attempts to deserialize the "clean" pickle file.
  7. During the deserialization process, the malicious code embedded via the __reduce__ method is executed by the Python interpreter.
  8. This execution leads to remote code execution (RCE), granting the attacker unauthorized control over the system where deserialization occurred, potentially allowing for data exfiltration, further compromise, or system disruption.

Impact

The successful exploitation of CVE-2025-71369 can lead to severe consequences, as remote code execution (RCE) grants attackers full control over the compromised system. This can result in unauthorized access to sensitive data, installation of backdoors, deployment of ransomware, or the use of the compromised system as a pivot point for further network penetration. Given the nature of pickle files in data science and machine learning workflows, this vulnerability presents a significant supply chain risk, potentially affecting numerous organizations that exchange or process such data. The CVSS v3.1 Base Score of 8.1 (High) underscores the critical nature of this flaw, highlighting the ease of exploitation and high impact on confidentiality and integrity.

Recommendation

  • Immediately upgrade picklescan to version 0.0.28 or later to remediate CVE-2025-71369, which contains the fix for this vulnerability.
  • Implement strict input validation and sanitization for all pickle files processed by your applications, especially those originating from untrusted or external sources.
  • Review existing practices for handling and deserializing pickle files; avoid deserializing untrusted data whenever possible.
  • Ensure that any systems processing pickle files operate with the principle of least privilege to minimize the potential impact of successful exploitation.