CVE-2025-71375: Picklescan Arbitrary Code Execution via _operator.methodcaller Evasion
A vulnerability in `picklescan` versions prior to 0.0.34 (CVE-2025-71375) allows attackers to craft malicious Python pickle payloads using the `_operator.methodcaller` built-in function, which evades detection by the `picklescan` library and enables arbitrary code execution when the payload is loaded by an application using `pickle.load()`.
A critical vulnerability, tracked as CVE-2025-71375, has been identified in the picklescan Python library, affecting all versions before 0.0.34. This flaw allows malicious actors to bypass security checks designed to detect harmful code within Python pickle files. Specifically, picklescan fails to recognize the _operator.methodcaller built-in function as a potential threat vector. Attackers can leverage this oversight to embed arbitrary code within a pickle payload. When such a specially crafted payload is subsequently loaded by an application using Python's standard pickle.load() function, the embedded malicious code will execute, leading to potential system compromise. This vulnerability is significant for organizations that process or share Python pickle files and rely on picklescan for their security posture.
Attack Chain
- Attacker crafts a malicious Python pickle payload, meticulously designed to leverage the
_operator.methodcallerbuilt-in function to embed arbitrary code. - The malicious pickle payload is delivered to a target system, potentially as part of an uploaded file, a network stream, or a malicious data artifact exchanged between services.
- A system or application utilizing the
picklescanlibrary (version prior to 0.0.34) attempts to scan the received pickle file for malicious content to ensure its safety before processing. - Due to the vulnerability (CVE-2025-71375),
picklescanfails to identify the_operator.methodcallerbased malicious code within the pickle payload, allowing it to be marked as "safe" or undetected. - The legitimate application or service then proceeds to load the unsanitized (and still malicious) pickle file into memory using Python's
pickle.load()function. - Upon deserialization, the
_operator.methodcallerembedded in the pickle payload triggers the execution of the attacker's arbitrary code within the context and privileges of the vulnerable application. - The attacker achieves arbitrary code execution, which can lead to data exfiltration, system compromise, establishment of persistence, or further network pivoting within the victim's environment.
Impact
The successful exploitation of CVE-2025-71375 grants attackers arbitrary code execution capabilities on the affected system. This can lead to severe consequences, including full system compromise, sensitive data exfiltration, denial of service, or the deployment of further malware such as ransomware. While no specific victim count or targeted sectors are mentioned, any organization or developer using picklescan before version 0.0.34 to sanitize Python pickle files is at risk. The CVSS v3.1 base score of 8.1 (High) underscores the critical nature of this vulnerability, highlighting that it can be exploited remotely without authentication, requiring only user interaction (e.g., loading the malicious pickle).
Recommendation
- Patch CVE-2025-71375 immediately by upgrading the
picklescanlibrary to version 0.0.34 or higher in all development, staging, and production environments. - Implement strong input validation and deserialization policies, assuming any untrusted pickle file, even those scanned by vulnerable versions of
picklescan, may contain malicious code. - Review existing codebases for instances of
pickle.load()being used on data from untrusted sources, even if processed bypicklescan.