CVE-2025-71358
Deferred Deferred - Pending Action

Picklescan Arbitrary Code Execution via Malicious Pickle Files

Vulnerability report for CVE-2025-71358, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
picklescan picklescan to 0.0.29 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in picklescan versions before 0.0.29, where it fails to detect malicious pickle files that exploit the idlelib.autocomplete.AutoComplete.get_entity function in reduce methods.

Attackers can embed undetected malicious code within pickle files, which then execute arbitrary commands when these files are loaded by victims using the pickle.load() function.

Impact Analysis

The impact of this vulnerability is that an attacker can execute arbitrary commands on a victim's system by tricking them into loading a malicious pickle file.

This can lead to unauthorized actions being performed on the victim's machine, potentially compromising system integrity and confidentiality.

Compliance Impact

The vulnerability in picklescan allows attackers to embed and execute arbitrary code via malicious pickle files, which can lead to unauthorized remote code execution.

Such unauthorized code execution can compromise the confidentiality and integrity of data processed or stored by affected systems.

This risk may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and ensuring system security.

Organizations relying on picklescan for scanning pickle files might face increased risk of supply chain attacks, potentially leading to data breaches or unauthorized data manipulation.

Therefore, failure to mitigate this vulnerability by updating picklescan could result in non-compliance with security requirements mandated by such regulations.

Detection Guidance

This vulnerability involves picklescan versions before 0.0.29 failing to detect malicious pickle files that exploit the idlelib.autocomplete.AutoComplete.get_entity function within reduce methods.

To detect this vulnerability on your system, you should verify the version of picklescan installed and scan pickle files for malicious content.

  • Check the installed picklescan version: `picklescan --version`
  • Scan suspicious pickle files using picklescan: `picklescan suspicious_file.pkl`

If the version is older than 0.0.29, the detection may be incomplete and malicious pickle files exploiting this vulnerability might not be flagged.

Mitigation Strategies

The primary mitigation step is to update picklescan to version 0.0.29 or later, where this vulnerability has been addressed.

Avoid loading pickle files from untrusted or unauthenticated sources using pickle.load(), as this can lead to arbitrary code execution.

Implement additional security measures such as sandboxing or running pickle loading operations in isolated environments to limit potential damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart