Skip to content
Threat Feed
high advisory

CVE-2025-71372: Picklescan Deserialization Vulnerability (Numpy Gadget)

CVE-2025-71372 describes a critical vulnerability in Picklescan versions prior to 0.0.33, where the tool fails to detect a specific numpy gadget in pickle `__reduce__` methods, allowing attackers to craft malicious pickle files that execute arbitrary Python code when loaded, bypassing safety checks and enabling supply-chain poisoning of shared model files.

CVE-2025-71372 addresses a significant security flaw in Picklescan versions before 0.0.33. Picklescan, a tool designed to analyze Python pickle files for malicious content, specifically fails to identify the numpy.f2py.crackfortran.getlincoef gadget when it's present within a pickle file's __reduce__ method. This oversight enables attackers to craft highly potent malicious pickle files that can contain and execute arbitrary Python code. When such a specially crafted pickle file is subsequently loaded by a Python application, the embedded code will execute, completely bypassing Picklescan's intended security defenses. This vulnerability poses a severe risk of supply-chain poisoning, particularly in environments where machine learning models or other data are exchanged as pickle files, as it allows attackers to inject malicious code into trusted data streams.

Attack Chain

  1. Attacker Crafts Malicious Pickle File: An attacker creates a Python pickle file designed to exploit the vulnerability. This file specifically incorporates the numpy.f2py.crackfortran.getlincoef gadget within a __reduce__ method, embedding arbitrary Python code for execution.
  2. Distribution of Malicious File: The malicious pickle file is distributed to target systems or users, often disguised as a legitimate shared resource, such as a machine learning model, dataset, or configuration file.
  3. Picklescan Bypass: The victim organization uses Picklescan (version prior to 0.0.33) to scan the received pickle file for security threats. Due to the vulnerability, Picklescan fails to detect the embedded malicious gadget.
  4. Legitimate Loading: A Python application within the victim's environment, believing the file to be safe due to the bypassed scan, loads (deserializes) the pickle file using standard Python pickle.load() functions.
  5. Gadget Invocation: During the deserialization process, Python's pickle module encounters and invokes the __reduce__ method containing the malicious numpy.f2py.crackfortran.getlincoef gadget.
  6. Arbitrary Code Execution: The arbitrary Python code embedded by the attacker within the gadget is executed on the system with the privileges of the Python application, leading to compromise, data exfiltration, or further system manipulation.
  7. Supply Chain Poisoning: If the compromised system then shares derived or new model files, the malicious code could propagate, leading to wider supply-chain poisoning.

Impact

This vulnerability carries a high impact, allowing for arbitrary code execution and enabling supply-chain poisoning of shared model files. If successfully exploited, attackers can gain full control over the system where the malicious pickle file is loaded, leading to data theft, system disruption, or deployment of further malware. The nature of pickle files, often used in scientific computing and machine learning for sharing models and data, means that organizations relying on these exchanges could unknowingly ingest malicious code. The immediate consequence is a complete compromise of the processing environment, with potential follow-on effects of data loss, intellectual property theft, or widespread network intrusion.

Recommendation

  • Immediately update Picklescan to version 0.0.33 or newer to patch CVE-2025-71372 and ensure proper detection of malicious numpy gadgets.
  • Educate development and data science teams on the risks associated with deserializing untrusted pickle files, even those seemingly cleared by older versions of Picklescan.
  • Implement strict provenance checks for all pickle files entering the environment; only load files from trusted and verified sources.
  • Perform a retrospective scan of existing pickle files within your environment using the patched Picklescan version to identify any already compromised models or data artifacts.

Indicators of compromise

2

url

TypeValue
urlhttps://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x
urlhttps://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-numpy-f2py-crackfortran-getlincoef-gadget