{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/picklescan--0.0.33/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71373"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.33"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","picklescan","python","deserialization"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eCVE-2025-71373 details a critical vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions before 0.0.33, a tool designed to validate the safety of Python pickle files. This flaw allows remote attackers to circumvent the security mechanisms by embedding \u003ccode\u003eoperator.methodcaller\u003c/code\u003e function calls within crafted pickle files. \u003ccode\u003epicklescan\u003c/code\u003e fails to detect these specific calls, mistakenly deeming the malicious files as safe. Consequently, any system that processes these specially crafted pickle files and relies on the vulnerable \u003ccode\u003epicklescan\u003c/code\u003e for validation will execute the embedded arbitrary code upon loading the file, leading to full system compromise. This vulnerability carries a CVSS v3.1 base score of 8.1 (High), highlighting its severe impact and ease of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Python pickle file containing arbitrary code embedded within \u003ccode\u003eoperator.methodcaller\u003c/code\u003e function calls.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this malicious pickle file to a target system, potentially via email, file upload functionality, or as part of a data exchange.\u003c/li\u003e\n\u003cli\u003eThe target system, which is configured to process Python pickle files, receives the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe system invokes \u003ccode\u003epicklescan\u003c/code\u003e (version prior to 0.0.33) to validate the safety and integrity of the incoming pickle file.\u003c/li\u003e\n\u003cli\u003eDuring validation, \u003ccode\u003epicklescan\u003c/code\u003e fails to correctly identify and flag the \u003ccode\u003eoperator.methodcaller\u003c/code\u003e function calls as malicious, allowing the bypass of its security checks.\u003c/li\u003e\n\u003cli\u003eThe target application, erroneously assuming the pickle file is safe based on \u003ccode\u003epicklescan\u003c/code\u003e's flawed validation, proceeds to load the file into memory.\u003c/li\u003e\n\u003cli\u003eUpon loading, the arbitrary code embedded within the \u003ccode\u003eoperator.methodcaller\u003c/code\u003e context is executed on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, leading to system compromise, which can involve data exfiltration, further persistence, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71373 grants remote attackers arbitrary code execution capabilities on affected systems. Organizations utilizing \u003ccode\u003epicklescan\u003c/code\u003e for validating pickle files, particularly in data processing pipelines or applications handling untrusted serialized Python objects, are at risk. This could lead to complete compromise of the affected servers or workstations, potentially resulting in data breaches, installation of malware, or disruption of critical services. The CVSS score of 8.1 reflects the high severity, indicating that an unauthenticated attacker can achieve high confidentiality and integrity impact with low attack complexity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.33 or later to patch CVE-2025-71373.\u003c/li\u003e\n\u003cli\u003eEnsure all applications handling Python pickle files validate their source and integrity rigorously, even when using security scanners.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization for all external inputs, especially those that might involve deserialization of data, to prevent malicious pickle files from being processed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:29:27Z","date_published":"2026-07-04T02:29:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/","summary":"Remote attackers can bypass security checks in `picklescan` versions prior to 0.0.33 by crafting malicious pickle payloads utilizing `operator.methodcaller` function calls, which upon loading by systems relying on `picklescan` for validation, results in arbitrary code execution and system compromise.","title":"CVE-2025-71373: Picklescan Bypass via `operator.methodcaller` Leads to Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71372"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Picklescan \u003c 0.0.33"],"_cs_severities":["high"],"_cs_tags":["vulnerability","deserialization","python","supply-chain","numpy","arbitrary-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-71372 addresses a significant security flaw in Picklescan versions before 0.0.33. Picklescan, a tool designed to analyze Python pickle files for malicious content, specifically fails to identify the \u003ccode\u003enumpy.f2py.crackfortran.getlincoef\u003c/code\u003e gadget when it's present within a pickle file's \u003ccode\u003e__reduce__\u003c/code\u003e method. This oversight enables attackers to craft highly potent malicious pickle files that can contain and execute arbitrary Python code. When such a specially crafted pickle file is subsequently loaded by a Python application, the embedded code will execute, completely bypassing Picklescan's intended security defenses. This vulnerability poses a severe risk of supply-chain poisoning, particularly in environments where machine learning models or other data are exchanged as pickle files, as it allows attackers to inject malicious code into trusted data streams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Pickle File\u003c/strong\u003e: An attacker creates a Python pickle file designed to exploit the vulnerability. This file specifically incorporates the \u003ccode\u003enumpy.f2py.crackfortran.getlincoef\u003c/code\u003e gadget within a \u003ccode\u003e__reduce__\u003c/code\u003e method, embedding arbitrary Python code for execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistribution of Malicious File\u003c/strong\u003e: The malicious pickle file is distributed to target systems or users, often disguised as a legitimate shared resource, such as a machine learning model, dataset, or configuration file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePicklescan Bypass\u003c/strong\u003e: The victim organization uses Picklescan (version prior to 0.0.33) to scan the received pickle file for security threats. Due to the vulnerability, Picklescan fails to detect the embedded malicious gadget.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLegitimate Loading\u003c/strong\u003e: A Python application within the victim's environment, believing the file to be safe due to the bypassed scan, loads (deserializes) the pickle file using standard Python \u003ccode\u003epickle.load()\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGadget Invocation\u003c/strong\u003e: During the deserialization process, Python's \u003ccode\u003epickle\u003c/code\u003e module encounters and invokes the \u003ccode\u003e__reduce__\u003c/code\u003e method containing the malicious \u003ccode\u003enumpy.f2py.crackfortran.getlincoef\u003c/code\u003e gadget.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: The arbitrary Python code embedded by the attacker within the gadget is executed on the system with the privileges of the Python application, leading to compromise, data exfiltration, or further system manipulation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupply Chain Poisoning\u003c/strong\u003e: If the compromised system then shares derived or new model files, the malicious code could propagate, leading to wider supply-chain poisoning.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability carries a high impact, allowing for arbitrary code execution and enabling supply-chain poisoning of shared model files. If successfully exploited, attackers can gain full control over the system where the malicious pickle file is loaded, leading to data theft, system disruption, or deployment of further malware. The nature of pickle files, often used in scientific computing and machine learning for sharing models and data, means that organizations relying on these exchanges could unknowingly ingest malicious code. The immediate consequence is a complete compromise of the processing environment, with potential follow-on effects of data loss, intellectual property theft, or widespread network intrusion.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003ePicklescan\u003c/code\u003e to version 0.0.33 or newer to patch CVE-2025-71372 and ensure proper detection of malicious numpy gadgets.\u003c/li\u003e\n\u003cli\u003eEducate development and data science teams on the risks associated with deserializing untrusted \u003ccode\u003epickle\u003c/code\u003e files, even those seemingly cleared by older versions of \u003ccode\u003ePicklescan\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict provenance checks for all \u003ccode\u003epickle\u003c/code\u003e files entering the environment; only load files from trusted and verified sources.\u003c/li\u003e\n\u003cli\u003ePerform a retrospective scan of existing \u003ccode\u003epickle\u003c/code\u003e files within your environment using the patched \u003ccode\u003ePicklescan\u003c/code\u003e version to identify any already compromised models or data artifacts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:28:44Z","date_published":"2026-07-04T02:28:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71372-picklescan-deserialization/","summary":"CVE-2025-71372 describes a critical vulnerability in Picklescan versions prior to 0.0.33, where the tool fails to detect a specific numpy gadget in pickle `__reduce__` methods, allowing attackers to craft malicious pickle files that execute arbitrary Python code when loaded, bypassing safety checks and enabling supply-chain poisoning of shared model files.","title":"CVE-2025-71372: Picklescan Deserialization Vulnerability (Numpy Gadget)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71372-picklescan-deserialization/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71347"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.33"],"_cs_severities":["high"],"_cs_tags":["deserialization","python","arbitrary-code-execution","vulnerability","cve","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["picklescan"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-71347, has been identified in the \u003ccode\u003epicklescan\u003c/code\u003e library prior to version 0.0.33. This flaw specifically impacts the library's ability to detect malicious pickle files that leverage the \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e function within their \u003ccode\u003ereduce\u003c/code\u003e methods during deserialization. Remote attackers can exploit this bypass to embed arbitrary code within seemingly legitimate pickle files. When an application loads and deserializes such an untrusted, malicious pickle file, the embedded code executes, granting the attacker arbitrary code execution capabilities. This vulnerability is significant for organizations that process or scan Python pickle files, as it allows sophisticated bypasses of security tooling, potentially leading to system compromise through a trusted deserialization process. The issue stems from inadequate sanitization or detection logic within \u003ccode\u003epicklescan\u003c/code\u003e when encountering specific NumPy functions, highlighting the persistent risk of deserialization vulnerabilities in Python ecosystems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting\u003c/strong\u003e: An attacker crafts a malicious Python pickle file, embedding a call to \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e with attacker-controlled arguments within the pickle's \u003ccode\u003ereduce\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery\u003c/strong\u003e: The attacker delivers the specially crafted malicious pickle file to a target system. This delivery can occur via various means such as email attachments, file downloads, or through compromised data repositories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Bypass\u003c/strong\u003e: If the target system uses \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.33 to inspect the file, the vulnerability (CVE-2025-71347) causes \u003ccode\u003epicklescan\u003c/code\u003e to fail to detect the malicious code embedded via \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution Trigger\u003c/strong\u003e: A vulnerable application on the victim's system, designed to process Python pickle data, attempts to load and deserialize the untrusted, now undetected, malicious pickle file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: During the deserialization process, the embedded \u003ccode\u003enumpy.f2py.crackfortran.param_eval\u003c/code\u003e function is invoked by the Python interpreter, leading to the execution of arbitrary code defined by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker gains control over the application's process with the privileges of the running application, potentially allowing for data exfiltration, further system compromise, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71347 results in arbitrary code execution, enabling attackers to fully compromise the affected application and potentially the underlying system. This can lead to sensitive data exfiltration, installation of additional malware, privilege escalation, and complete control over the compromised environment. While the NVD advisory does not specify observed victims or targeted sectors, any organization that uses \u003ccode\u003epicklescan\u003c/code\u003e to validate Python pickle files or deserializes untrusted pickle data is at risk of severe impact, including financial loss, operational disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.33 or later immediately to patch CVE-2025-71347.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and deserialization policies to prevent applications from loading untrusted pickle files, even if scanned by older \u003ccode\u003epicklescan\u003c/code\u003e versions.\u003c/li\u003e\n\u003cli\u003eRefer to the advisory links provided in the \u003ccode\u003ereferences\u003c/code\u003e section for more detailed information about CVE-2025-71347 and mitigation strategies.\u003c/li\u003e\n\u003cli\u003eEnsure all applications processing pickle data are isolated in sandboxed environments to minimize the blast radius of potential arbitrary code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:21:21Z","date_published":"2026-07-04T02:21:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71347-picklescan-rce/","summary":"A critical vulnerability (CVE-2025-71347) exists in picklescan prior to version 0.0.33, allowing remote attackers to bypass security checks by failing to detect malicious pickle files leveraging the numpy.f2py.crackfortran.param_eval function, leading to arbitrary code execution upon deserialization of untrusted data.","title":"CVE-2025-71347: Picklescan Bypass Leads to Arbitrary Code Execution via Malicious Pickle Files","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71347-picklescan-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Picklescan \u003c 0.0.33","version":"https://jsonfeed.org/version/1.1"}