CVE-2025-71325
Received
Received - Intake
Parsing Logic Error in Picklescan Allows Malicious Pickle File Bypass
Vulnerability report for CVE-2025-71325, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-17
Last updated on: 2026-06-17
Assigner: VulnCheck
Description
Description
picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigger unexpected exceptions and evade security scanning.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mmaitre314 | picklescan | to 0.0.27 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-391 | [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. |