{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/numpy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-71372"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Picklescan \u003c 0.0.33"],"_cs_severities":["high"],"_cs_tags":["vulnerability","deserialization","python","supply-chain","numpy","arbitrary-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-71372 addresses a significant security flaw in Picklescan versions before 0.0.33. Picklescan, a tool designed to analyze Python pickle files for malicious content, specifically fails to identify the \u003ccode\u003enumpy.f2py.crackfortran.getlincoef\u003c/code\u003e gadget when it's present within a pickle file's \u003ccode\u003e__reduce__\u003c/code\u003e method. This oversight enables attackers to craft highly potent malicious pickle files that can contain and execute arbitrary Python code. When such a specially crafted pickle file is subsequently loaded by a Python application, the embedded code will execute, completely bypassing Picklescan's intended security defenses. This vulnerability poses a severe risk of supply-chain poisoning, particularly in environments where machine learning models or other data are exchanged as pickle files, as it allows attackers to inject malicious code into trusted data streams.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Pickle File\u003c/strong\u003e: An attacker creates a Python pickle file designed to exploit the vulnerability. This file specifically incorporates the \u003ccode\u003enumpy.f2py.crackfortran.getlincoef\u003c/code\u003e gadget within a \u003ccode\u003e__reduce__\u003c/code\u003e method, embedding arbitrary Python code for execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistribution of Malicious File\u003c/strong\u003e: The malicious pickle file is distributed to target systems or users, often disguised as a legitimate shared resource, such as a machine learning model, dataset, or configuration file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePicklescan Bypass\u003c/strong\u003e: The victim organization uses Picklescan (version prior to 0.0.33) to scan the received pickle file for security threats. Due to the vulnerability, Picklescan fails to detect the embedded malicious gadget.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLegitimate Loading\u003c/strong\u003e: A Python application within the victim's environment, believing the file to be safe due to the bypassed scan, loads (deserializes) the pickle file using standard Python \u003ccode\u003epickle.load()\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGadget Invocation\u003c/strong\u003e: During the deserialization process, Python's \u003ccode\u003epickle\u003c/code\u003e module encounters and invokes the \u003ccode\u003e__reduce__\u003c/code\u003e method containing the malicious \u003ccode\u003enumpy.f2py.crackfortran.getlincoef\u003c/code\u003e gadget.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: The arbitrary Python code embedded by the attacker within the gadget is executed on the system with the privileges of the Python application, leading to compromise, data exfiltration, or further system manipulation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupply Chain Poisoning\u003c/strong\u003e: If the compromised system then shares derived or new model files, the malicious code could propagate, leading to wider supply-chain poisoning.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability carries a high impact, allowing for arbitrary code execution and enabling supply-chain poisoning of shared model files. If successfully exploited, attackers can gain full control over the system where the malicious pickle file is loaded, leading to data theft, system disruption, or deployment of further malware. The nature of pickle files, often used in scientific computing and machine learning for sharing models and data, means that organizations relying on these exchanges could unknowingly ingest malicious code. The immediate consequence is a complete compromise of the processing environment, with potential follow-on effects of data loss, intellectual property theft, or widespread network intrusion.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update \u003ccode\u003ePicklescan\u003c/code\u003e to version 0.0.33 or newer to patch CVE-2025-71372 and ensure proper detection of malicious numpy gadgets.\u003c/li\u003e\n\u003cli\u003eEducate development and data science teams on the risks associated with deserializing untrusted \u003ccode\u003epickle\u003c/code\u003e files, even those seemingly cleared by older versions of \u003ccode\u003ePicklescan\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict provenance checks for all \u003ccode\u003epickle\u003c/code\u003e files entering the environment; only load files from trusted and verified sources.\u003c/li\u003e\n\u003cli\u003ePerform a retrospective scan of existing \u003ccode\u003epickle\u003c/code\u003e files within your environment using the patched \u003ccode\u003ePicklescan\u003c/code\u003e version to identify any already compromised models or data artifacts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-04T02:28:44Z","date_published":"2026-07-04T02:28:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71372-picklescan-deserialization/","summary":"CVE-2025-71372 describes a critical vulnerability in Picklescan versions prior to 0.0.33, where the tool fails to detect a specific numpy gadget in pickle `__reduce__` methods, allowing attackers to craft malicious pickle files that execute arbitrary Python code when loaded, bypassing safety checks and enabling supply-chain poisoning of shared model files.","title":"CVE-2025-71372: Picklescan Deserialization Vulnerability (Numpy Gadget)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71372-picklescan-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed - Numpy","version":"https://jsonfeed.org/version/1.1"}