<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Picklescan &lt; 0.0.29 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/picklescan--0.0.29/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 04 Jul 2026 02:24:27 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/picklescan--0.0.29/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2025-71360: Picklescan RCE via Undetected Malicious Pickle Files</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71360-picklescan-rce/</link><pubDate>Sat, 04 Jul 2026 02:24:27 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71360-picklescan-rce/</guid><description>A high-severity deserialization of untrusted data vulnerability (CVE-2025-71360) in picklescan versions before 0.0.29 allows attackers to embed undetected remote command execution code within malicious pickle files, leading to arbitrary code execution when loaded by victims.</description><content:encoded><![CDATA[<p>CVE-2025-71360 describes a critical deserialization vulnerability impacting <code>picklescan</code> versions prior to 0.0.29, a Python library designed to detect malicious code within Python pickle files. Specifically, the flaw lies in <code>picklescan</code>'s failure to detect malicious code embedded using the <code>idlelib.calltip.get_entity</code> function within pickle reduce methods. This oversight allows attackers to craft specially designed pickle files containing arbitrary Python code that bypasses <code>picklescan</code>'s security checks. When a victim subsequently loads such a malicious pickle file, the embedded code is executed, enabling remote command execution (RCE) on the affected system. This vulnerability poses a significant risk to applications that process or scan untrusted pickle files, as it effectively nullifies the security benefits <code>picklescan</code> is intended to provide.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Python pickle file containing arbitrary code, leveraging the <code>idlelib.calltip.get_entity</code> function within the pickle's <code>__reduce__</code> method to embed their payload.</li>
<li>The attacker distributes this specially crafted pickle file to a target system, potentially through email attachments, untrusted file downloads, or as part of a compromised data exchange.</li>
<li>A victim receives and attempts to process or scan the untrusted pickle file using an affected version of the <code>picklescan</code> library (prior to 0.0.29).</li>
<li>The <code>picklescan</code> library, when performing its security checks, fails to correctly identify and flag the malicious code embedded via <code>idlelib.calltip.get_entity</code>.</li>
<li>The malicious pickle file is then loaded or deserialized by a Python application or script on the victim's system.</li>
<li>During the deserialization process, the embedded code within the pickle file executes, leading to arbitrary remote command execution on the victim's system, granting the attacker control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-71360 leads to arbitrary remote code execution on the victim's system. This can result in complete system compromise, allowing attackers to install malware, exfiltrate sensitive data, establish persistence, or pivot to other systems within the network. Organizations relying on <code>picklescan</code> for validating untrusted data could be unknowingly processing malicious content, leading to widespread compromise. The direct impact is the subversion of a security control, enabling attackers to bypass detection and execute their payloads.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update <code>picklescan</code> to version 0.0.29 or newer to remediate CVE-2025-71360.</li>
<li>Implement strict controls around the handling and loading of Python pickle files, treating all external or untrusted pickle files as potentially malicious.</li>
<li>Educate users and developers on the dangers of deserializing untrusted data and the importance of using secure deserialization alternatives or strict validation.</li>
<li>Consider deploying application-level sandboxing or isolation for processes that handle pickle file deserialization to limit the impact of potential RCE.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>deserialization</category><category>rce</category><category>vulnerability</category><category>python</category></item><item><title>CVE-2025-71359: Picklescan Deserialization RCE Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71359-picklescan-rce/</link><pubDate>Sat, 04 Jul 2026 02:23:45 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71359-picklescan-rce/</guid><description>Picklescan versions prior to 0.0.29 are vulnerable to remote code execution (CVE-2025-71359) due to a failure in detecting malicious Python pickle payloads that utilize `lib2to3.pgen2.grammar.Grammar.loads`, allowing attackers to craft files that evade detection and execute arbitrary code during deserialization.</description><content:encoded><![CDATA[<p>This brief addresses CVE-2025-71359, a high-severity vulnerability impacting <code>picklescan</code> versions before 0.0.29. The <code>picklescan</code> library, designed to detect malicious Python pickle payloads, fails to identify specific evasion techniques. Specifically, attackers can craft pickle files that embed dangerous code by leveraging <code>lib2to3.pgen2.grammar.Grammar.loads</code> within the <code>__reduce__</code> method. These specially crafted payloads bypass <code>picklescan</code>'s scrutiny. When an application subsequently deserializes such an untrusted pickle file using Python's <code>pickle.load()</code>, the embedded malicious code executes on the host system. This remote code execution (RCE) can grant attackers significant control over the compromised environment, allowing for data exfiltration, system modification, or further network penetration. The vulnerability highlights the inherent risks of deserializing untrusted data and the need for robust validation mechanisms.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Craft Malicious Pickle Payload</strong>: An attacker crafts a Python pickle file (<code>.pkl</code>) embedding arbitrary code, specifically utilizing <code>lib2to3.pgen2.grammar.Grammar.loads</code> within the <code>__reduce__</code> method to achieve RCE.</li>
<li><strong>Evade Security Scanner</strong>: The crafted malicious payload is designed to exploit the flaw in <code>picklescan</code> versions prior to 0.0.29, allowing it to bypass its detection mechanisms.</li>
<li><strong>Delivery of Malicious File</strong>: The attacker delivers the malicious pickle file to a target system. This could occur via various vectors, such as uploading to a vulnerable web application, attaching it to a phishing email, or injecting it into a compromised software supply chain.</li>
<li><strong>Target Application Processes Pickle File</strong>: A vulnerable application on the target system receives and attempts to deserialize the seemingly benign (undetected by <code>picklescan</code>) malicious pickle file using Python's <code>pickle.load()</code> function.</li>
<li><strong>Deserialization and Code Execution</strong>: During the deserialization process, the <code>__reduce__</code> method within the pickle object is invoked, and the embedded <code>Grammar.loads</code> executes the attacker's arbitrary code.</li>
<li><strong>Remote Code Execution (RCE)</strong>: The attacker's code runs with the privileges of the vulnerable application, leading to remote code execution on the target system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-71359 results in remote code execution (RCE) on the host system where the vulnerable <code>picklescan</code> library is used to validate and subsequently deserialize malicious pickle files. This level of access allows attackers to take complete control of the affected application and potentially the underlying server. Consequences can include unauthorized data access, modification, or deletion, installation of malware (e.g., ransomware, backdoors), lateral movement within the network, and complete system compromise. The severity of the impact depends on the privileges of the compromised application and the data it processes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update <code>picklescan</code> to version 0.0.29 or newer to remediate CVE-2025-71359.</li>
<li>Implement strict input validation and sanitization for all incoming pickle files, regardless of <code>picklescan</code> usage.</li>
<li>Adopt secure deserialization practices by never deserializing untrusted data. If deserialization is unavoidable, implement restricted unpickling environments, such as those that limit available classes and functions during <code>pickle.load()</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>remote-code-execution</category><category>deserialization</category><category>python</category><category>vulnerability</category><category>supply-chain</category></item></channel></rss>