{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-71353/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71353"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["picklescan \u003c 0.0.28"],"_cs_severities":["high"],"_cs_tags":["deserialization","rce","python","vulnerability","CVE-2025-71353"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-71353 details a critical deserialization vulnerability affecting \u003ccode\u003epicklescan\u003c/code\u003e versions prior to 0.0.28. \u003ccode\u003epicklescan\u003c/code\u003e is a tool designed to identify and mitigate malicious Python pickle files. However, this vulnerability allows attackers to craft specially designed pickle files that leverage the \u003ccode\u003etorch._dynamo.guards.GuardBuilder.get\u003c/code\u003e function within Python's \u003ccode\u003ereduce\u003c/code\u003e methods. These crafted files contain embedded arbitrary commands that \u003ccode\u003epicklescan\u003c/code\u003e fails to detect. Consequently, if such a file is subsequently loaded by an application, the malicious code can execute on the victim's system, leading to remote code execution (RCE). This vulnerability poses a significant risk to systems that process untrusted pickle files, as the security scanner intended to protect them can be bypassed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious pickle file:\u003c/strong\u003e An attacker generates a Python pickle file containing serialized data that, when deserialized, exploits the \u003ccode\u003etorch._dynamo.guards.GuardBuilder.get\u003c/code\u003e function in its \u003ccode\u003ereduce\u003c/code\u003e methods to embed arbitrary commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistribution of malicious pickle file:\u003c/strong\u003e The attacker distributes this malicious pickle file to a victim, potentially via email attachments, compromised package repositories, or direct downloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim scans file with \u003ccode\u003epicklescan\u003c/code\u003e:\u003c/strong\u003e The victim system, or an application interacting with the file, uses \u003ccode\u003epicklescan\u003c/code\u003e (version prior to 0.0.28) to scan the received pickle file for malicious content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003epicklescan\u003c/code\u003e fails detection:\u003c/strong\u003e Due to the flaw described in CVE-2025-71353, \u003ccode\u003epicklescan\u003c/code\u003e fails to identify the embedded malicious payload within the specially crafted pickle file, deeming it safe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious pickle file is loaded:\u003c/strong\u003e An application on the victim's system, trusting the scan results or lacking further validation, proceeds to load and deserialize the now \u0026quot;clean\u0026quot; malicious pickle file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Command Execution:\u003c/strong\u003e During the deserialization process, the embedded arbitrary commands are executed in the context of the vulnerable application, leading to remote code execution on the victim's system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-71353 leads to remote code execution (RCE) on the compromised system. This grants attackers the ability to execute arbitrary commands, potentially leading to full system compromise, data theft, data alteration, or the deployment of further malware. The vulnerability has a CVSS v3.1 base score of 8.1 (High), reflecting high impacts on confidentiality and integrity, as attackers can bypass an intended security control to achieve their objectives. All applications and users relying on \u003ccode\u003epicklescan\u003c/code\u003e for validating Python pickle files are at risk if running affected versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epicklescan\u003c/code\u003e to version 0.0.28 or later immediately to remediate CVE-2025-71353.\u003c/li\u003e\n\u003cli\u003eReview and update any systems or applications that use \u003ccode\u003epicklescan\u003c/code\u003e to scan incoming pickle files to ensure they are using the patched version.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and integrity checks for all deserialized data, especially from untrusted sources, even after scanning.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:22:16Z","date_published":"2026-07-04T02:22:16Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71353-picklescan-rce/","summary":"Picklescan before version 0.0.28 contains a deserialization vulnerability where it fails to properly detect malicious pickle files. Attackers can craft these files with embedded code that exploits the `torch._dynamo.guards.GuardBuilder.get` function in reduce methods, leading to arbitrary command execution when loaded on a victim system.","title":"CVE-2025-71353: Picklescan Deserialization Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71353-picklescan-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2025-71353","version":"https://jsonfeed.org/version/1.1"}