CVE-2025-71339
Deferred Deferred - Pending Action

Picklescan Arbitrary Code Execution via Unsafe Pickle Deserialization

Vulnerability report for CVE-2025-71339, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability allows attackers to execute arbitrary Python code on a victim's system by tricking them into loading a malicious pickle file that bypasses Picklescan's safety checks.

This can lead to unauthorized actions, potential system compromise, data manipulation, or other malicious activities depending on the attacker's intent.

Executive Summary

This vulnerability exists in Picklescan versions before 0.0.33, where the software fails to detect a specific gadget called numpy.f2py.crackfortran._eval_length within pickle __reduce__ methods.

Because of this failure, attackers can create malicious pickle files that execute arbitrary Python code when these files are loaded by users who rely on Picklescan's safety validation.

Compliance Impact

This vulnerability allows arbitrary code execution when malicious pickle files are loaded by victims relying on Picklescan's safety validation. Such unauthorized code execution can lead to compromise of sensitive data or systems.

Because the vulnerability involves improper deserialization of untrusted data, it can potentially lead to breaches of confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA.

Organizations using vulnerable versions of Picklescan may face increased risk of data breaches or unauthorized access, which could result in non-compliance with data protection regulations requiring secure handling of personal or sensitive information.

Detection Guidance

This vulnerability involves malicious pickle files that exploit the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, which Picklescan versions before 0.0.33 fail to detect.

To detect this vulnerability on your system, you should verify the version of Picklescan you are using. If it is before 0.0.33, it is vulnerable.

Since the vulnerability is related to unsafe deserialization of pickle files, you can monitor or scan pickle files being loaded or transferred in your environment.

Suggested commands include checking the Picklescan version installed:

  • pip show picklescan
  • pip list | grep picklescan

Additionally, you can attempt to scan suspicious pickle files with Picklescan and observe if it flags them as safe or unsafe. However, versions before 0.0.33 may incorrectly mark malicious files as safe.

Mitigation Strategies

The primary mitigation step is to upgrade Picklescan to version 0.0.33 or later, where this vulnerability has been patched.

Avoid loading pickle files from untrusted or unauthenticated sources, especially if relying on Picklescan for safety validation.

Implement additional security controls around deserialization processes, such as sandboxing or restricting execution environments.

Review workflows that depend on Picklescan to vet pickle files and ensure they are updated to use the fixed version.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart