{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/picklescan--0.0.30/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71345"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.30"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","deserialization","python","machine-learning","vulnerability"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71345 identifies a significant vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions released before 0.0.30. This flaw enables threat actors to craft malicious pickle files containing embedded code that \u003ccode\u003epicklescan\u003c/code\u003e fails to detect, specifically when the code leverages the \u003ccode\u003etorch.utils.bottleneck.__main__.run_autograd_prof\u003c/code\u003e function. By exploiting this oversight, attackers can bypass the intended security scanning mechanisms of \u003ccode\u003epicklescan\u003c/code\u003e and achieve remote code execution (RCE) on systems that deserialize these specially crafted files. This vulnerability presents a high risk as it allows for undetectable arbitrary code execution, undermining the integrity and security of applications relying on \u003ccode\u003epicklescan\u003c/code\u003e for safe deserialization of Python objects, particularly in machine learning environments where pickle files are commonly used for model persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThe provided source describes a vulnerability in \u003ccode\u003epicklescan\u003c/code\u003e's detection capabilities rather than a multi-stage attack chain in the wild. The exploitation scenario primarily involves the delivery and deserialization of a specially crafted malicious file. Therefore, a multi-step attack chain as observed in active campaigns cannot be accurately constructed from this information.\u003c/p\u003e\n\u003cp\u003eHowever, the core exploitation flow is as follows:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker delivers a malicious pickle file to a victim system (e.g., via email, download from an untrusted source, or compromised data pipeline).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Bypass \u003ccode\u003epicklescan\u003c/code\u003e)\u003c/strong\u003e: The malicious pickle file is crafted to invoke the \u003ccode\u003etorch.utils.bottleneck.__main__.run_autograd_prof\u003c/code\u003e function, which \u003ccode\u003epicklescan\u003c/code\u003e versions \u0026lt; 0.0.30 fail to identify as malicious.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeserialization\u003c/strong\u003e: The victim application or system attempts to load and deserialize the seemingly benign pickle file, potentially after a failed \u003ccode\u003epicklescan\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: During the deserialization process, the embedded malicious code within the pickle file is executed in the context of the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The executed code performs actions determined by the attacker, such as system compromise, data exfiltration, or further malware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71345 results in unauthenticated remote code execution on systems that process untrusted pickle files with vulnerable versions of \u003ccode\u003epicklescan\u003c/code\u003e. This allows attackers to bypass security measures, gain full control over the affected system, steal sensitive data, deploy ransomware, or establish persistence within the network. The vulnerability has a CVSS v3.1 base score of 8.1 (High), underscoring the severe consequences of exploitation, particularly in environments handling machine learning models or other serialized Python objects where \u003ccode\u003epicklescan\u003c/code\u003e is deployed for security scanning.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2025-71345 immediately\u003c/strong\u003e: Update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.30 or newer to mitigate the vulnerability and ensure proper detection of malicious pickle files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Secure Deserialization Practices\u003c/strong\u003e: Restrict the deserialization of pickle files from untrusted or unverified sources, as described by CWE-502.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEducate Users\u003c/strong\u003e: Train users and developers about the risks associated with handling untrusted serialized data, including pickle files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:20:22Z","date_published":"2026-07-04T02:20:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71345-picklescan-rce/","summary":"CVE-2025-71345 describes a critical vulnerability in `picklescan` versions prior to 0.0.30, where attackers can embed undetected malicious code within pickle files that specifically invoke the `torch.utils.bottleneck.__main__.run_autograd_prof` function, leading to remote code execution upon deserialization by bypassing `picklescan`'s security checks.","title":"CVE-2025-71345: Picklescan Malicious Pickle File Detection Bypass Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71345-picklescan-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71343"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.30"],"_cs_severities":["high"],"_cs_tags":["deserialization","remote-code-execution","python","vulnerability","detection-bypass"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71343 describes a critical vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.30. This flaw stems from a detection bypass related to the \u003ccode\u003elib2to3.pgen2.pgen.ParserGenerator.make_label\u003c/code\u003e function within the \u003ccode\u003ereduce\u003c/code\u003e method, which is a key component in parsing Python bytecode. Attackers can leverage this vulnerability to craft highly sophisticated malicious pickle files. These files are specifically designed to contain embedded arbitrary commands but will successfully evade \u003ccode\u003epicklescan\u003c/code\u003e's security checks. When an application on a vulnerable system then uses the standard \u003ccode\u003epickle.load()\u003c/code\u003e function to deserialize one of these malicious files, the embedded commands are executed, resulting in arbitrary code execution. This poses a significant risk to systems that process untrusted pickle files, as the primary defense mechanism (\u003ccode\u003epicklescan\u003c/code\u003e) is rendered ineffective against this specific evasion technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Python pickle file containing arbitrary code, specifically exploiting the \u003ccode\u003elib2to3.pgen2.pgen.ParserGenerator.make_label\u003c/code\u003e function's \u003ccode\u003ereduce\u003c/code\u003e method to bypass \u003ccode\u003epicklescan\u003c/code\u003e's detection.\u003c/li\u003e\n\u003cli\u003eThe malicious pickle file is delivered to a target system, potentially through methods such as email attachments, malicious web downloads, or integration into a compromised software supply chain.\u003c/li\u003e\n\u003cli\u003eAn application or user on the target system processes or scans the received pickle file using \u003ccode\u003epicklescan\u003c/code\u003e version prior to 0.0.30.\u003c/li\u003e\n\u003cli\u003eDue to CVE-2025-71343, \u003ccode\u003epicklescan\u003c/code\u003e fails to identify the embedded malicious payload, incorrectly marking the file as benign.\u003c/li\u003e\n\u003cli\u003eA Python application or script on the target system subsequently loads the \u0026quot;undetected\u0026quot; malicious pickle file using \u003ccode\u003epickle.load()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, the embedded arbitrary code within the pickle file is executed in the context of the Python application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution on the compromised system, potentially leading to full system compromise, data exfiltration, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71343 allows an attacker to achieve arbitrary code execution on systems that process untrusted pickle files using vulnerable versions of \u003ccode\u003epicklescan\u003c/code\u003e. This can lead to complete system compromise, unauthorized access to sensitive data, installation of malware, or disruption of services. While no specific victim counts are provided, any organization or individual processing Python pickle files in environments where \u003ccode\u003epicklescan\u003c/code\u003e is used for security vetting (especially in data science, machine learning, or software development contexts) is at risk. The undetected nature of the attack makes it particularly dangerous, as security tools designed to prevent such threats are bypassed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.30 or later immediately to patch CVE-2025-71343 and address the detection bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict controls on the ingestion and processing of untrusted pickle files, regardless of \u003ccode\u003epicklescan\u003c/code\u003e's output, especially from external or unverified sources.\u003c/li\u003e\n\u003cli\u003eEducate users and developers about the risks associated with deserializing untrusted data, specifically in the context of Python pickle files, to prevent arbitrary code execution (CWE-502).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:19:30Z","date_published":"2026-07-04T02:19:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-detection-bypass/","summary":"A deserialization vulnerability, CVE-2025-71343, in picklescan before version 0.0.30 allows attackers to craft malicious pickle files that evade detection and lead to arbitrary code execution when loaded via `pickle.load()`.","title":"CVE-2025-71343 — picklescan Detection Bypass via Malicious Pickle Files","url":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-detection-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71342"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.30"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","supply-chain","python","pickle","pytorch"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71342 identifies a significant vulnerability within \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.30, a Python library designed to scan pickle files for malicious content. The flaw stems from \u003ccode\u003epicklescan\u003c/code\u003e's inability to adequately detect embedded malicious code when attackers specifically use \u003ccode\u003eidlelib.run.Executive.runcode\u003c/code\u003e within the reduce methods of a Python pickle file. This oversight allows threat actors to craft seemingly benign pickle files that, upon deserialization using \u003ccode\u003epickle.load\u003c/code\u003e, will execute arbitrary code. The vulnerability poses a severe risk, particularly for environments handling untrusted pickle files, such as those involving machine learning models (e.g., PyTorch models). Successful exploitation can lead to remote code execution (RCE) on the target system and facilitate widespread supply chain attacks by injecting malicious logic into widely distributed models or data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a specially designed Python pickle file containing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe malicious code is embedded within the pickle file's reduce methods, specifically leveraging \u003ccode\u003eidlelib.run.Executive.runcode\u003c/code\u003e to obscure its true intent.\u003c/li\u003e\n\u003cli\u003eThe attacker then distributes this malicious pickle file, potentially by injecting it into a software supply chain (e.g., a shared machine learning model repository).\u003c/li\u003e\n\u003cli\u003eA victim system or application, such as a PyTorch model loader, downloads or receives the compromised pickle file.\u003c/li\u003e\n\u003cli\u003eThe application attempts to deserialize the pickle file using Python's \u003ccode\u003epickle.load()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the deserialization process, \u003ccode\u003epicklescan\u003c/code\u003e (if present and vulnerable, i.e., version \u0026lt; 0.0.30) fails to identify the \u003ccode\u003eidlelib.run.Executive.runcode\u003c/code\u003e as a malicious primitive.\u003c/li\u003e\n\u003cli\u003eThe embedded arbitrary code within the pickle file's reduce methods is consequently executed by the Python interpreter on the victim's system.\u003c/li\u003e\n\u003cli\u003eThis results in remote code execution (RCE), allowing the attacker to compromise the host system and potentially exfiltrate data or establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-71342 carries severe consequences, primarily remote code execution (RCE) with a CVSS v3.1 base score of 8.1 (High severity). This vulnerability can lead to complete compromise of the affected system's confidentiality and integrity, as attackers gain the ability to execute arbitrary commands. The primary risk lies in supply chain attacks, where malicious pickle files can be distributed through legitimate channels, infecting numerous downstream users. PyTorch models, often distributed as pickle files, are particularly vulnerable, meaning that compromised models could propagate malware to researchers, developers, and production systems globally, leading to widespread data theft, system sabotage, or further network penetration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.30 or later to remediate CVE-2025-71342.\u003c/li\u003e\n\u003cli\u003eImplement strict validation and sandboxing for deserialization of Python pickle files, especially those from untrusted or external sources.\u003c/li\u003e\n\u003cli\u003eEducate development teams on the risks associated with deserializing untrusted data, specifically in the context of CVE-2025-71342 and \u003ccode\u003epickle.load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview existing practices for handling and loading machine learning models (e.g., PyTorch models) to ensure only verified and scanned pickle files are processed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:18:42Z","date_published":"2026-07-04T02:18:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-rce/","summary":"A critical vulnerability (CVE-2025-71342) exists in picklescan versions prior to 0.0.30, where it fails to detect malicious code embedded in Python pickle files by leveraging `idlelib.run.Executive.runcode` in reduce methods, allowing attackers to conceal and execute arbitrary code during `pickle.load` operations, leading to remote code execution (RCE) and potential supply chain attacks, particularly impacting PyTorch models.","title":"CVE-2025-71342: picklescan Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-picklescan-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Picklescan \u003c 0.0.30","version":"https://jsonfeed.org/version/1.1"}