<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Picklescan &lt; 0.0.33 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/picklescan--0.0.33/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 04 Jul 2026 02:29:27 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/picklescan--0.0.33/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2025-71373: Picklescan Bypass via `operator.methodcaller` Leads to Arbitrary Code Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/</link><pubDate>Sat, 04 Jul 2026 02:29:27 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/</guid><description>Remote attackers can bypass security checks in `picklescan` versions prior to 0.0.33 by crafting malicious pickle payloads utilizing `operator.methodcaller` function calls, which upon loading by systems relying on `picklescan` for validation, results in arbitrary code execution and system compromise.</description><content:encoded><![CDATA[<p>CVE-2025-71373 details a critical vulnerability affecting <code>picklescan</code> versions before 0.0.33, a tool designed to validate the safety of Python pickle files. This flaw allows remote attackers to circumvent the security mechanisms by embedding <code>operator.methodcaller</code> function calls within crafted pickle files. <code>picklescan</code> fails to detect these specific calls, mistakenly deeming the malicious files as safe. Consequently, any system that processes these specially crafted pickle files and relies on the vulnerable <code>picklescan</code> for validation will execute the embedded arbitrary code upon loading the file, leading to full system compromise. This vulnerability carries a CVSS v3.1 base score of 8.1 (High), highlighting its severe impact and ease of exploitation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Python pickle file containing arbitrary code embedded within <code>operator.methodcaller</code> function calls.</li>
<li>The attacker delivers this malicious pickle file to a target system, potentially via email, file upload functionality, or as part of a data exchange.</li>
<li>The target system, which is configured to process Python pickle files, receives the malicious payload.</li>
<li>The system invokes <code>picklescan</code> (version prior to 0.0.33) to validate the safety and integrity of the incoming pickle file.</li>
<li>During validation, <code>picklescan</code> fails to correctly identify and flag the <code>operator.methodcaller</code> function calls as malicious, allowing the bypass of its security checks.</li>
<li>The target application, erroneously assuming the pickle file is safe based on <code>picklescan</code>'s flawed validation, proceeds to load the file into memory.</li>
<li>Upon loading, the arbitrary code embedded within the <code>operator.methodcaller</code> context is executed on the target system.</li>
<li>The attacker achieves arbitrary code execution, leading to system compromise, which can involve data exfiltration, further persistence, or other malicious actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-71373 grants remote attackers arbitrary code execution capabilities on affected systems. Organizations utilizing <code>picklescan</code> for validating pickle files, particularly in data processing pipelines or applications handling untrusted serialized Python objects, are at risk. This could lead to complete compromise of the affected servers or workstations, potentially resulting in data breaches, installation of malware, or disruption of critical services. The CVSS score of 8.1 reflects the high severity, indicating that an unauthenticated attacker can achieve high confidentiality and integrity impact with low attack complexity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update <code>picklescan</code> to version 0.0.33 or later to patch CVE-2025-71373.</li>
<li>Ensure all applications handling Python pickle files validate their source and integrity rigorously, even when using security scanners.</li>
<li>Implement robust input validation and sanitization for all external inputs, especially those that might involve deserialization of data, to prevent malicious pickle files from being processed.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>rce</category><category>picklescan</category><category>python</category><category>deserialization</category></item><item><title>CVE-2025-71372: Picklescan Deserialization Vulnerability (Numpy Gadget)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71372-picklescan-deserialization/</link><pubDate>Sat, 04 Jul 2026 02:28:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71372-picklescan-deserialization/</guid><description>CVE-2025-71372 describes a critical vulnerability in Picklescan versions prior to 0.0.33, where the tool fails to detect a specific numpy gadget in pickle `__reduce__` methods, allowing attackers to craft malicious pickle files that execute arbitrary Python code when loaded, bypassing safety checks and enabling supply-chain poisoning of shared model files.</description><content:encoded><![CDATA[<p>CVE-2025-71372 addresses a significant security flaw in Picklescan versions before 0.0.33. Picklescan, a tool designed to analyze Python pickle files for malicious content, specifically fails to identify the <code>numpy.f2py.crackfortran.getlincoef</code> gadget when it's present within a pickle file's <code>__reduce__</code> method. This oversight enables attackers to craft highly potent malicious pickle files that can contain and execute arbitrary Python code. When such a specially crafted pickle file is subsequently loaded by a Python application, the embedded code will execute, completely bypassing Picklescan's intended security defenses. This vulnerability poses a severe risk of supply-chain poisoning, particularly in environments where machine learning models or other data are exchanged as pickle files, as it allows attackers to inject malicious code into trusted data streams.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker Crafts Malicious Pickle File</strong>: An attacker creates a Python pickle file designed to exploit the vulnerability. This file specifically incorporates the <code>numpy.f2py.crackfortran.getlincoef</code> gadget within a <code>__reduce__</code> method, embedding arbitrary Python code for execution.</li>
<li><strong>Distribution of Malicious File</strong>: The malicious pickle file is distributed to target systems or users, often disguised as a legitimate shared resource, such as a machine learning model, dataset, or configuration file.</li>
<li><strong>Picklescan Bypass</strong>: The victim organization uses Picklescan (version prior to 0.0.33) to scan the received pickle file for security threats. Due to the vulnerability, Picklescan fails to detect the embedded malicious gadget.</li>
<li><strong>Legitimate Loading</strong>: A Python application within the victim's environment, believing the file to be safe due to the bypassed scan, loads (deserializes) the pickle file using standard Python <code>pickle.load()</code> functions.</li>
<li><strong>Gadget Invocation</strong>: During the deserialization process, Python's <code>pickle</code> module encounters and invokes the <code>__reduce__</code> method containing the malicious <code>numpy.f2py.crackfortran.getlincoef</code> gadget.</li>
<li><strong>Arbitrary Code Execution</strong>: The arbitrary Python code embedded by the attacker within the gadget is executed on the system with the privileges of the Python application, leading to compromise, data exfiltration, or further system manipulation.</li>
<li><strong>Supply Chain Poisoning</strong>: If the compromised system then shares derived or new model files, the malicious code could propagate, leading to wider supply-chain poisoning.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability carries a high impact, allowing for arbitrary code execution and enabling supply-chain poisoning of shared model files. If successfully exploited, attackers can gain full control over the system where the malicious pickle file is loaded, leading to data theft, system disruption, or deployment of further malware. The nature of pickle files, often used in scientific computing and machine learning for sharing models and data, means that organizations relying on these exchanges could unknowingly ingest malicious code. The immediate consequence is a complete compromise of the processing environment, with potential follow-on effects of data loss, intellectual property theft, or widespread network intrusion.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update <code>Picklescan</code> to version 0.0.33 or newer to patch CVE-2025-71372 and ensure proper detection of malicious numpy gadgets.</li>
<li>Educate development and data science teams on the risks associated with deserializing untrusted <code>pickle</code> files, even those seemingly cleared by older versions of <code>Picklescan</code>.</li>
<li>Implement strict provenance checks for all <code>pickle</code> files entering the environment; only load files from trusted and verified sources.</li>
<li>Perform a retrospective scan of existing <code>pickle</code> files within your environment using the patched <code>Picklescan</code> version to identify any already compromised models or data artifacts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>deserialization</category><category>python</category><category>supply-chain</category><category>numpy</category><category>arbitrary-code-execution</category></item><item><title>CVE-2025-71347: Picklescan Bypass Leads to Arbitrary Code Execution via Malicious Pickle Files</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71347-picklescan-rce/</link><pubDate>Sat, 04 Jul 2026 02:21:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71347-picklescan-rce/</guid><description>A critical vulnerability (CVE-2025-71347) exists in picklescan prior to version 0.0.33, allowing remote attackers to bypass security checks by failing to detect malicious pickle files leveraging the numpy.f2py.crackfortran.param_eval function, leading to arbitrary code execution upon deserialization of untrusted data.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2025-71347, has been identified in the <code>picklescan</code> library prior to version 0.0.33. This flaw specifically impacts the library's ability to detect malicious pickle files that leverage the <code>numpy.f2py.crackfortran.param_eval</code> function within their <code>reduce</code> methods during deserialization. Remote attackers can exploit this bypass to embed arbitrary code within seemingly legitimate pickle files. When an application loads and deserializes such an untrusted, malicious pickle file, the embedded code executes, granting the attacker arbitrary code execution capabilities. This vulnerability is significant for organizations that process or scan Python pickle files, as it allows sophisticated bypasses of security tooling, potentially leading to system compromise through a trusted deserialization process. The issue stems from inadequate sanitization or detection logic within <code>picklescan</code> when encountering specific NumPy functions, highlighting the persistent risk of deserialization vulnerabilities in Python ecosystems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Payload Crafting</strong>: An attacker crafts a malicious Python pickle file, embedding a call to <code>numpy.f2py.crackfortran.param_eval</code> with attacker-controlled arguments within the pickle's <code>reduce</code> method.</li>
<li><strong>Delivery</strong>: The attacker delivers the specially crafted malicious pickle file to a target system. This delivery can occur via various means such as email attachments, file downloads, or through compromised data repositories.</li>
<li><strong>Defense Bypass</strong>: If the target system uses <code>picklescan</code> versions prior to 0.0.33 to inspect the file, the vulnerability (CVE-2025-71347) causes <code>picklescan</code> to fail to detect the malicious code embedded via <code>numpy.f2py.crackfortran.param_eval</code>.</li>
<li><strong>Execution Trigger</strong>: A vulnerable application on the victim's system, designed to process Python pickle data, attempts to load and deserialize the untrusted, now undetected, malicious pickle file.</li>
<li><strong>Arbitrary Code Execution</strong>: During the deserialization process, the embedded <code>numpy.f2py.crackfortran.param_eval</code> function is invoked by the Python interpreter, leading to the execution of arbitrary code defined by the attacker.</li>
<li><strong>Impact</strong>: The attacker gains control over the application's process with the privileges of the running application, potentially allowing for data exfiltration, further system compromise, or persistence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-71347 results in arbitrary code execution, enabling attackers to fully compromise the affected application and potentially the underlying system. This can lead to sensitive data exfiltration, installation of additional malware, privilege escalation, and complete control over the compromised environment. While the NVD advisory does not specify observed victims or targeted sectors, any organization that uses <code>picklescan</code> to validate Python pickle files or deserializes untrusted pickle data is at risk of severe impact, including financial loss, operational disruption, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>picklescan</code> to version 0.0.33 or later immediately to patch CVE-2025-71347.</li>
<li>Implement strict input validation and deserialization policies to prevent applications from loading untrusted pickle files, even if scanned by older <code>picklescan</code> versions.</li>
<li>Refer to the advisory links provided in the <code>references</code> section for more detailed information about CVE-2025-71347 and mitigation strategies.</li>
<li>Ensure all applications processing pickle data are isolated in sandboxed environments to minimize the blast radius of potential arbitrary code execution.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>deserialization</category><category>python</category><category>arbitrary-code-execution</category><category>vulnerability</category><category>cve</category><category>defense-evasion</category></item></channel></rss>