{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/picklescan--0.0.28/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71369"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["python","deserialization","rce","vulnerability","supply-chain","machine-learning"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71369 addresses a critical flaw in \u003ccode\u003epicklescan\u003c/code\u003e versions released before 0.0.28, a tool designed to detect malicious Python pickle files. This vulnerability permits remote attackers to craft specially designed pickle files that leverage \u003ccode\u003etorch.utils.data.datapipes.utils.decoder.basichandlers\u003c/code\u003e within their \u003ccode\u003e__reduce__\u003c/code\u003e methods. The \u003ccode\u003epicklescan\u003c/code\u003e library, when tasked with scanning such files, fails to identify the embedded malicious code, effectively bypassing its intended security checks. Consequently, when an affected application or system subsequently deserializes these \u0026quot;undetected\u0026quot; malicious pickle files, the embedded code is executed, leading to remote code execution (RCE). This poses a significant supply chain risk, as data scientists or ML engineers using vulnerable \u003ccode\u003epicklescan\u003c/code\u003e versions could inadvertently process compromised data, granting attackers control over their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python pickle file by embedding arbitrary code within the \u003ccode\u003e__reduce__\u003c/code\u003e method, specifically utilizing \u003ccode\u003etorch.utils.data.datapipes.utils.decoder.basichandlers\u003c/code\u003e to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes this malicious pickle file, potentially through compromised data repositories, malicious PyPI packages, or by sending it directly to a target.\u003c/li\u003e\n\u003cli\u003eA victim organization or individual downloads and stores the seemingly benign pickle file, potentially as part of a dataset or machine learning model.\u003c/li\u003e\n\u003cli\u003eThe victim's environment, which integrates a vulnerable version of \u003ccode\u003epicklescan\u003c/code\u003e (prior to 0.0.28), processes or scans the downloaded pickle file.\u003c/li\u003e\n\u003cli\u003eDue to CVE-2025-71369, \u003ccode\u003epicklescan\u003c/code\u003e fails to identify the malicious payload within the pickle file, allowing it to be treated as legitimate.\u003c/li\u003e\n\u003cli\u003eA Python application or framework within the victim's environment attempts to deserialize the \u0026quot;clean\u0026quot; pickle file.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, the malicious code embedded via the \u003ccode\u003e__reduce__\u003c/code\u003e method is executed by the Python interpreter.\u003c/li\u003e\n\u003cli\u003eThis execution leads to remote code execution (RCE), granting the attacker unauthorized control over the system where deserialization occurred, potentially allowing for data exfiltration, further compromise, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71369 can lead to severe consequences, as remote code execution (RCE) grants attackers full control over the compromised system. This can result in unauthorized access to sensitive data, installation of backdoors, deployment of ransomware, or the use of the compromised system as a pivot point for further network penetration. Given the nature of pickle files in data science and machine learning workflows, this vulnerability presents a significant supply chain risk, potentially affecting numerous organizations that exchange or process such data. The CVSS v3.1 Base Score of 8.1 (High) underscores the critical nature of this flaw, highlighting the ease of exploitation and high impact on confidentiality and integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later to remediate CVE-2025-71369, which contains the fix for this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all pickle files processed by your applications, especially those originating from untrusted or external sources.\u003c/li\u003e\n\u003cli\u003eReview existing practices for handling and deserializing pickle files; avoid deserializing untrusted data whenever possible.\u003c/li\u003e\n\u003cli\u003eEnsure that any systems processing pickle files operate with the principle of least privilege to minimize the potential impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:27:56Z","date_published":"2026-07-04T02:27:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71369-picklescan-rce-bypass/","summary":"A critical vulnerability, CVE-2025-71369, in `picklescan` versions prior to 0.0.28 allows remote attackers to bypass safety checks for malicious Python pickle files that utilize specific `torch.utils.data.datapipes` methods, enabling undetected embedded malicious code to execute during deserialization, which results in remote code execution (RCE) on the victim's system.","title":"CVE-2025-71369: Picklescan Malicious Pickle Detection Bypass Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71369-picklescan-rce-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71366"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","deserialization","python","picklescan"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eA significant deserialization vulnerability, tracked as CVE-2025-71366, has been identified in \u003ccode\u003epicklescan\u003c/code\u003e versions predating 0.0.28. This flaw allows malicious actors to craft Python pickle files that include specific \u003ccode\u003etorch.utils.bottleneck.__main__.run_cprofile\u003c/code\u003e function calls. Critically, the \u003ccode\u003epicklescan\u003c/code\u003e library, designed to detect and prevent malicious code execution from untrusted pickle files, fails to properly identify these embedded calls. This bypass of security checks enables remote attackers to inject and execute arbitrary code. When a victim's system loads such a specially crafted and undetected malicious pickle file, the embedded code executes with the privileges of the application processing the file, leading to potential system compromise and data loss. This vulnerability is highly impactful due to the widespread use of pickle files in Python ecosystems for data serialization and the security trust placed in \u003ccode\u003epicklescan\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python pickle file containing a serialized object that leverages \u003ccode\u003etorch.utils.bottleneck.__main__.run_cprofile\u003c/code\u003e to embed arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the payload is specifically designed to bypass the detection mechanisms implemented in \u003ccode\u003epicklescan\u003c/code\u003e versions older than 0.0.28.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted malicious pickle file to a target system, potentially through untrusted data ingestion, shared repositories, or direct download.\u003c/li\u003e\n\u003cli\u003eA user or an automated process on the victim's system initiates the loading of the malicious pickle file using a Python application that integrates with the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eDuring the scanning process, the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e library (version \u0026lt; 0.0.28) fails to detect the malicious \u003ccode\u003etorch.utils.bottleneck.__main__.run_cprofile\u003c/code\u003e call due to the inherent deserialization vulnerability.\u003c/li\u003e\n\u003cli\u003eUpon deserialization of the undetected malicious pickle file, the embedded arbitrary code is executed on the victim's system, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71366 results in arbitrary code execution on the victim's system, allowing attackers to take full control of the compromised machine. This can lead to unauthorized data access, modification, or exfiltration; installation of malware such as ransomware or backdoors; and further lateral movement within the network. While specific victim counts or targeted sectors are not provided in the source, any organization or individual processing untrusted pickle files with vulnerable versions of \u003ccode\u003epicklescan\u003c/code\u003e could be at risk, especially those in data science, machine learning, or research environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2025-71366 immediately\u003c/strong\u003e by upgrading \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later to address the deserialization vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict validation and sandboxing for all incoming pickle files, especially those from untrusted sources, even after patching, as a defense-in-depth measure against similar deserialization flaws.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:26:41Z","date_published":"2026-07-04T02:26:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71366-picklescan-deserialization/","summary":"A critical deserialization vulnerability (CVE-2025-71366) exists in picklescan versions prior to 0.0.28, allowing remote attackers to bypass safety checks by embedding malicious `torch.utils.bottleneck.__main__.run_cprofile` function calls in pickle files, leading to arbitrary code execution when victims load the crafted files.","title":"CVE-2025-71366: Picklescan Deserialization Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71366-picklescan-deserialization/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71356"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["deserialization","python","vulnerability","rce","machine-learning"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71356 describes a critical deserialization vulnerability impacting \u003ccode\u003epicklescan\u003c/code\u003e versions before 0.0.28. This vulnerability arises because the library fails to properly detect malicious \u003ccode\u003etorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\u003c/code\u003e function calls embedded within Python pickle files. Attackers can leverage this flaw to craft specially designed pickle files that, when loaded by a victim's application utilizing \u003ccode\u003epicklescan\u003c/code\u003e, execute arbitrary code. The issue allows for pre-payload code execution without detection, bypassing the intended security scanning capabilities of \u003ccode\u003epicklescan\u003c/code\u003e. This could allow threat actors to deliver malware, establish persistence, or exfiltrate data through seemingly benign data files, posing a significant risk to machine learning and data science environments that frequently exchange \u003ccode\u003epickle\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python \u003ccode\u003epickle\u003c/code\u003e file containing a specially constructed \u003ccode\u003etorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\u003c/code\u003e call that includes arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious \u003ccode\u003epickle\u003c/code\u003e file to a target system, potentially via email, compromised data repositories, or untrusted downloads.\u003c/li\u003e\n\u003cli\u003eA Python application on the victim's system attempts to load or process the \u003ccode\u003epickle\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003epicklescan\u003c/code\u003e library is used to scan the file for malicious content, it fails to detect the embedded arbitrary code within the \u003ccode\u003etorch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eDuring the standard Python \u003ccode\u003epickle\u003c/code\u003e deserialization process, the vulnerable \u003ccode\u003eevaluate_guards_expression\u003c/code\u003e call is executed.\u003c/li\u003e\n\u003cli\u003eThe embedded arbitrary code payload is then executed on the victim's system, leading to remote code execution, granting the attacker control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71356 can lead to complete system compromise through remote code execution. Victims, particularly those in data science, machine learning, and AI sectors that frequently handle \u003ccode\u003epickle\u003c/code\u003e files from various sources, are at risk. Attackers could exploit this to deploy ransomware, establish backdoors, steal sensitive intellectual property, or use the compromised system as a pivot point for further network penetration. The undetected nature of the malicious code within the pickle file bypasses security controls, making this a high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later immediately to mitigate CVE-2025-71356.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and source verification for all Python \u003ccode\u003epickle\u003c/code\u003e files loaded in your environment, especially those originating from untrusted sources, even after upgrading \u003ccode\u003epicklescan\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview your software supply chain for components that use or process \u003ccode\u003epickle\u003c/code\u003e files to identify and update any vulnerable instances of \u003ccode\u003epicklescan\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:23:01Z","date_published":"2026-07-04T02:23:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71356-picklescan-deserialization/","summary":"A critical deserialization vulnerability (CVE-2025-71356) in `picklescan` versions prior to 0.0.28 allows attackers to embed undetected malicious code within Python pickle files, leading to remote code execution when these files are loaded by victims.","title":"CVE-2025-71356: picklescan Deserialization Vulnerability Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71356-picklescan-deserialization/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71353"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["deserialization","rce","python","vulnerability","CVE-2025-71353"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-71353 details a critical deserialization vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.28. \u003ccode\u003epicklescan\u003c/code\u003e is a tool designed to identify and mitigate malicious Python pickle files. However, this vulnerability allows attackers to craft specially designed pickle files that leverage the \u003ccode\u003etorch._dynamo.guards.GuardBuilder.get\u003c/code\u003e function within Python's \u003ccode\u003ereduce\u003c/code\u003e methods. These crafted files contain embedded arbitrary commands that \u003ccode\u003epicklescan\u003c/code\u003e fails to detect. Consequently, if such a file is subsequently loaded by an application, the malicious code can execute on the victim's system, leading to remote code execution (RCE). This vulnerability poses a significant risk to systems that process untrusted pickle files, as the security scanner intended to protect them can be bypassed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious pickle file:\u003c/strong\u003e An attacker generates a Python pickle file containing serialized data that, when deserialized, exploits the \u003ccode\u003etorch._dynamo.guards.GuardBuilder.get\u003c/code\u003e function in its \u003ccode\u003ereduce\u003c/code\u003e methods to embed arbitrary commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistribution of malicious pickle file:\u003c/strong\u003e The attacker distributes this malicious pickle file to a victim, potentially via email attachments, compromised package repositories, or direct downloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim scans file with \u003ccode\u003epicklescan\u003c/code\u003e:\u003c/strong\u003e The victim system, or an application interacting with the file, uses \u003ccode\u003epicklescan\u003c/code\u003e (version prior to 0.0.28) to scan the received pickle file for malicious content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003epicklescan\u003c/code\u003e fails detection:\u003c/strong\u003e Due to the flaw described in CVE-2025-71353, \u003ccode\u003epicklescan\u003c/code\u003e fails to identify the embedded malicious payload within the specially crafted pickle file, deeming it safe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious pickle file is loaded:\u003c/strong\u003e An application on the victim's system, trusting the scan results or lacking further validation, proceeds to load and deserialize the now \u0026quot;clean\u0026quot; malicious pickle file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Command Execution:\u003c/strong\u003e During the deserialization process, the embedded arbitrary commands are executed in the context of the vulnerable application, leading to remote code execution on the victim's system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71353 leads to remote code execution (RCE) on the compromised system. This grants attackers the ability to execute arbitrary commands, potentially leading to full system compromise, data theft, data alteration, or the deployment of further malware. The vulnerability has a CVSS v3.1 base score of 8.1 (High), reflecting high impacts on confidentiality and integrity, as attackers can bypass an intended security control to achieve their objectives. All applications and users relying on \u003ccode\u003epicklescan\u003c/code\u003e for validating Python pickle files are at risk if running affected versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later immediately to remediate CVE-2025-71353.\u003c/li\u003e\n\u003cli\u003eReview and update any systems or applications that use \u003ccode\u003epicklescan\u003c/code\u003e to scan incoming pickle files to ensure they are using the patched version.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and integrity checks for all deserialized data, especially from untrusted sources, even after scanning.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:22:16Z","date_published":"2026-07-04T02:22:16Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71353-picklescan-rce/","summary":"Picklescan before version 0.0.28 contains a deserialization vulnerability where it fails to properly detect malicious pickle files. Attackers can craft these files with embedded code that exploits the `torch._dynamo.guards.GuardBuilder.get` function in reduce methods, leading to arbitrary command execution when loaded on a victim system.","title":"CVE-2025-71353: Picklescan Deserialization Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71353-picklescan-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Picklescan \u003c 0.0.28","version":"https://jsonfeed.org/version/1.1"}