Skip to content
Threat Feed

Tag

Picklescan

4 briefs RSS
high advisory

CVE-2025-71375: Picklescan Arbitrary Code Execution via _operator.methodcaller Evasion

A vulnerability in `picklescan` versions prior to 0.0.34 (CVE-2025-71375) allows attackers to craft malicious Python pickle payloads using the `_operator.methodcaller` built-in function, which evades detection by the `picklescan` library and enables arbitrary code execution when the payload is loaded by an application using `pickle.load()`.

picklescan vulnerability rce deserialization python
1t 1c
high advisory

CVE-2025-71373: Picklescan Bypass via `operator.methodcaller` Leads to Arbitrary Code Execution

Remote attackers can bypass security checks in `picklescan` versions prior to 0.0.33 by crafting malicious pickle payloads utilizing `operator.methodcaller` function calls, which upon loading by systems relying on `picklescan` for validation, results in arbitrary code execution and system compromise.

picklescan < 0.0.33 vulnerability rce picklescan python deserialization
1t 1c
high advisory

CVE-2025-71366: Picklescan Deserialization Vulnerability Leads to RCE

A critical deserialization vulnerability (CVE-2025-71366) exists in picklescan versions prior to 0.0.28, allowing remote attackers to bypass safety checks by embedding malicious `torch.utils.bottleneck.__main__.run_cprofile` function calls in pickle files, leading to arbitrary code execution when victims load the crafted files.

picklescan < 0.0.28 cve vulnerability deserialization python picklescan
2t 1c
high advisory

CVE-2025-71362 — picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functio...

picklescan versions prior to 0.0.33 are vulnerable to unsafe deserialization via CVE-2025-71362, allowing attackers to embed malicious code in pickle files that executes due to `numpy.f2py.crackfortran` calling `eval` on arbitrary strings when loaded from untrusted sources, leading to arbitrary code execution.

picklescan cve deserialization python arbitrary-code-execution vulnerability
2t 1c