<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Picklescan - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/picklescan/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 04 Jul 2026 02:30:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/picklescan/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2025-71375: Picklescan Arbitrary Code Execution via _operator.methodcaller Evasion</title><link>https://feed.craftedsignal.io/briefs/2026-07-picklescan-cve-2025-71375/</link><pubDate>Sat, 04 Jul 2026 02:30:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-picklescan-cve-2025-71375/</guid><description>A vulnerability in `picklescan` versions prior to 0.0.34 (CVE-2025-71375) allows attackers to craft malicious Python pickle payloads using the `_operator.methodcaller` built-in function, which evades detection by the `picklescan` library and enables arbitrary code execution when the payload is loaded by an application using `pickle.load()`.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2025-71375, has been identified in the <code>picklescan</code> Python library, affecting all versions before 0.0.34. This flaw allows malicious actors to bypass security checks designed to detect harmful code within Python pickle files. Specifically, <code>picklescan</code> fails to recognize the <code>_operator.methodcaller</code> built-in function as a potential threat vector. Attackers can leverage this oversight to embed arbitrary code within a pickle payload. When such a specially crafted payload is subsequently loaded by an application using Python's standard <code>pickle.load()</code> function, the embedded malicious code will execute, leading to potential system compromise. This vulnerability is significant for organizations that process or share Python pickle files and rely on <code>picklescan</code> for their security posture.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious Python pickle payload, meticulously designed to leverage the <code>_operator.methodcaller</code> built-in function to embed arbitrary code.</li>
<li>The malicious pickle payload is delivered to a target system, potentially as part of an uploaded file, a network stream, or a malicious data artifact exchanged between services.</li>
<li>A system or application utilizing the <code>picklescan</code> library (version prior to 0.0.34) attempts to scan the received pickle file for malicious content to ensure its safety before processing.</li>
<li>Due to the vulnerability (CVE-2025-71375), <code>picklescan</code> fails to identify the <code>_operator.methodcaller</code> based malicious code within the pickle payload, allowing it to be marked as &quot;safe&quot; or undetected.</li>
<li>The legitimate application or service then proceeds to load the unsanitized (and still malicious) pickle file into memory using Python's <code>pickle.load()</code> function.</li>
<li>Upon deserialization, the <code>_operator.methodcaller</code> embedded in the pickle payload triggers the execution of the attacker's arbitrary code within the context and privileges of the vulnerable application.</li>
<li>The attacker achieves arbitrary code execution, which can lead to data exfiltration, system compromise, establishment of persistence, or further network pivoting within the victim's environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2025-71375 grants attackers arbitrary code execution capabilities on the affected system. This can lead to severe consequences, including full system compromise, sensitive data exfiltration, denial of service, or the deployment of further malware such as ransomware. While no specific victim count or targeted sectors are mentioned, any organization or developer using <code>picklescan</code> before version 0.0.34 to sanitize Python pickle files is at risk. The CVSS v3.1 base score of 8.1 (High) underscores the critical nature of this vulnerability, highlighting that it can be exploited remotely without authentication, requiring only user interaction (e.g., loading the malicious pickle).</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2025-71375 immediately by upgrading the <code>picklescan</code> library to version 0.0.34 or higher in all development, staging, and production environments.</li>
<li>Implement strong input validation and deserialization policies, assuming any untrusted pickle file, even those scanned by vulnerable versions of <code>picklescan</code>, may contain malicious code.</li>
<li>Review existing codebases for instances of <code>pickle.load()</code> being used on data from untrusted sources, even if processed by <code>picklescan</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>rce</category><category>deserialization</category><category>python</category><category>picklescan</category></item><item><title>CVE-2025-71373: Picklescan Bypass via `operator.methodcaller` Leads to Arbitrary Code Execution</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/</link><pubDate>Sat, 04 Jul 2026 02:29:27 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71373-picklescan-bypass/</guid><description>Remote attackers can bypass security checks in `picklescan` versions prior to 0.0.33 by crafting malicious pickle payloads utilizing `operator.methodcaller` function calls, which upon loading by systems relying on `picklescan` for validation, results in arbitrary code execution and system compromise.</description><content:encoded><![CDATA[<p>CVE-2025-71373 details a critical vulnerability affecting <code>picklescan</code> versions before 0.0.33, a tool designed to validate the safety of Python pickle files. This flaw allows remote attackers to circumvent the security mechanisms by embedding <code>operator.methodcaller</code> function calls within crafted pickle files. <code>picklescan</code> fails to detect these specific calls, mistakenly deeming the malicious files as safe. Consequently, any system that processes these specially crafted pickle files and relies on the vulnerable <code>picklescan</code> for validation will execute the embedded arbitrary code upon loading the file, leading to full system compromise. This vulnerability carries a CVSS v3.1 base score of 8.1 (High), highlighting its severe impact and ease of exploitation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Python pickle file containing arbitrary code embedded within <code>operator.methodcaller</code> function calls.</li>
<li>The attacker delivers this malicious pickle file to a target system, potentially via email, file upload functionality, or as part of a data exchange.</li>
<li>The target system, which is configured to process Python pickle files, receives the malicious payload.</li>
<li>The system invokes <code>picklescan</code> (version prior to 0.0.33) to validate the safety and integrity of the incoming pickle file.</li>
<li>During validation, <code>picklescan</code> fails to correctly identify and flag the <code>operator.methodcaller</code> function calls as malicious, allowing the bypass of its security checks.</li>
<li>The target application, erroneously assuming the pickle file is safe based on <code>picklescan</code>'s flawed validation, proceeds to load the file into memory.</li>
<li>Upon loading, the arbitrary code embedded within the <code>operator.methodcaller</code> context is executed on the target system.</li>
<li>The attacker achieves arbitrary code execution, leading to system compromise, which can involve data exfiltration, further persistence, or other malicious actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-71373 grants remote attackers arbitrary code execution capabilities on affected systems. Organizations utilizing <code>picklescan</code> for validating pickle files, particularly in data processing pipelines or applications handling untrusted serialized Python objects, are at risk. This could lead to complete compromise of the affected servers or workstations, potentially resulting in data breaches, installation of malware, or disruption of critical services. The CVSS score of 8.1 reflects the high severity, indicating that an unauthenticated attacker can achieve high confidentiality and integrity impact with low attack complexity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update <code>picklescan</code> to version 0.0.33 or later to patch CVE-2025-71373.</li>
<li>Ensure all applications handling Python pickle files validate their source and integrity rigorously, even when using security scanners.</li>
<li>Implement robust input validation and sanitization for all external inputs, especially those that might involve deserialization of data, to prevent malicious pickle files from being processed.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>rce</category><category>picklescan</category><category>python</category><category>deserialization</category></item><item><title>CVE-2025-71366: Picklescan Deserialization Vulnerability Leads to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71366-picklescan-deserialization/</link><pubDate>Sat, 04 Jul 2026 02:26:41 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71366-picklescan-deserialization/</guid><description>A critical deserialization vulnerability (CVE-2025-71366) exists in picklescan versions prior to 0.0.28, allowing remote attackers to bypass safety checks by embedding malicious `torch.utils.bottleneck.__main__.run_cprofile` function calls in pickle files, leading to arbitrary code execution when victims load the crafted files.</description><content:encoded><![CDATA[<p>A significant deserialization vulnerability, tracked as CVE-2025-71366, has been identified in <code>picklescan</code> versions predating 0.0.28. This flaw allows malicious actors to craft Python pickle files that include specific <code>torch.utils.bottleneck.__main__.run_cprofile</code> function calls. Critically, the <code>picklescan</code> library, designed to detect and prevent malicious code execution from untrusted pickle files, fails to properly identify these embedded calls. This bypass of security checks enables remote attackers to inject and execute arbitrary code. When a victim's system loads such a specially crafted and undetected malicious pickle file, the embedded code executes with the privileges of the application processing the file, leading to potential system compromise and data loss. This vulnerability is highly impactful due to the widespread use of pickle files in Python ecosystems for data serialization and the security trust placed in <code>picklescan</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Python pickle file containing a serialized object that leverages <code>torch.utils.bottleneck.__main__.run_cprofile</code> to embed arbitrary code.</li>
<li>The attacker ensures the payload is specifically designed to bypass the detection mechanisms implemented in <code>picklescan</code> versions older than 0.0.28.</li>
<li>The attacker delivers the crafted malicious pickle file to a target system, potentially through untrusted data ingestion, shared repositories, or direct download.</li>
<li>A user or an automated process on the victim's system initiates the loading of the malicious pickle file using a Python application that integrates with the vulnerable <code>picklescan</code> library.</li>
<li>During the scanning process, the vulnerable <code>picklescan</code> library (version &lt; 0.0.28) fails to detect the malicious <code>torch.utils.bottleneck.__main__.run_cprofile</code> call due to the inherent deserialization vulnerability.</li>
<li>Upon deserialization of the undetected malicious pickle file, the embedded arbitrary code is executed on the victim's system, achieving remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-71366 results in arbitrary code execution on the victim's system, allowing attackers to take full control of the compromised machine. This can lead to unauthorized data access, modification, or exfiltration; installation of malware such as ransomware or backdoors; and further lateral movement within the network. While specific victim counts or targeted sectors are not provided in the source, any organization or individual processing untrusted pickle files with vulnerable versions of <code>picklescan</code> could be at risk, especially those in data science, machine learning, or research environments.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2025-71366 immediately</strong> by upgrading <code>picklescan</code> to version 0.0.28 or later to address the deserialization vulnerability.</li>
<li>Implement strict validation and sandboxing for all incoming pickle files, especially those from untrusted sources, even after patching, as a defense-in-depth measure against similar deserialization flaws.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve</category><category>vulnerability</category><category>deserialization</category><category>python</category><category>picklescan</category></item><item><title>CVE-2025-71362 — picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functio...</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71362-picklescan/</link><pubDate>Sat, 04 Jul 2026 02:25:03 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-71362-picklescan/</guid><description>picklescan versions prior to 0.0.33 are vulnerable to unsafe deserialization via CVE-2025-71362, allowing attackers to embed malicious code in pickle files that executes due to `numpy.f2py.crackfortran` calling `eval` on arbitrary strings when loaded from untrusted sources, leading to arbitrary code execution.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2025-71362, has been identified in <code>picklescan</code> versions prior to 0.0.33. This issue stems from <code>picklescan</code>'s failure to adequately detect unsafe deserialization patterns within <code>numpy.f2py.crackfortran</code> functions. Specifically, when these functions process data, they may call <code>eval</code> on arbitrary strings derived from pickle files, creating an arbitrary code execution vector. Attackers can craft malicious pickle files containing embedded code. If these untrusted files are subsequently loaded and processed by a vulnerable <code>picklescan</code> instance, the embedded malicious code will execute, granting the attacker control over the compromised system. This vulnerability poses a significant risk to applications and environments that handle or process pickle files from external or untrusted sources.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Vulnerability Identification</strong>: An attacker identifies a target system or application that uses <code>picklescan</code> (version &lt; 0.0.33) to process Python pickle files.</li>
<li><strong>Malicious Pickle File Creation</strong>: The attacker crafts a specially designed pickle file that contains malicious Python code. This code is structured to exploit the unsafe deserialization flaw in <code>numpy.f2py.crackfortran</code> functions, ensuring that when the file is loaded, the <code>eval</code> function is called with the attacker's payload.</li>
<li><strong>Delivery</strong>: The attacker delivers the malicious pickle file to the victim. This could be via email (as an attachment), through a compromised web application, or by placing it in a location where the victim's application is expected to load files (e.g., a shared drive, an untrusted repository).</li>
<li><strong>User/Application Interaction</strong>: The victim's application or user, believing the pickle file to be legitimate or benign, initiates the loading process of the untrusted pickle file using the vulnerable <code>picklescan</code> library.</li>
<li><strong>Vulnerable Deserialization</strong>: During the deserialization process, the <code>picklescan</code> library invokes <code>numpy.f2py.crackfortran</code> functions. Due to the CVE-2025-71362 vulnerability, these functions call <code>eval</code> on the arbitrary malicious strings embedded within the pickle file.</li>
<li><strong>Arbitrary Code Execution</strong>: The <code>eval</code> call executes the attacker's embedded malicious code within the context of the vulnerable application, leading to arbitrary code execution on the host system.</li>
<li><strong>Impact on System</strong>: With arbitrary code execution, the attacker can achieve various objectives, such as data exfiltration, installation of malware, establishment of persistence, or full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2025-71362 allows for arbitrary code execution on the system running the vulnerable <code>picklescan</code> instance. This means an attacker could gain full control over the affected system, potentially leading to complete data compromise, installation of ransomware, deployment of backdoors, or lateral movement within the network. While specific victim counts or targeted sectors are not detailed in the NVD advisory, any organization or developer using affected versions of <code>picklescan</code> to process untrusted Python pickle files is at risk. The consequences range from data breach and operational disruption to severe reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2025-71362</strong>: Immediately upgrade <code>picklescan</code> to version 0.0.33 or later to mitigate CVE-2025-71362.</li>
<li><strong>Implement Input Validation</strong>: Ensure that all pickle files processed by applications are from trusted sources and implement strict validation before deserialization.</li>
<li><strong>Isolate Processing</strong>: If processing untrusted pickle files is unavoidable, perform the deserialization in a highly isolated environment (e.g., a secure sandbox or virtual machine) to contain potential arbitrary code execution.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve</category><category>deserialization</category><category>python</category><category>arbitrary-code-execution</category><category>vulnerability</category><category>picklescan</category></item></channel></rss>