CVE-2025-71356
Received Received - Intake

Picklescan Remote Code Execution via Undetected ShapeEnv Eval

Vulnerability report for CVE-2025-71356, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulnCheck

Description

picklescan before 0.0.28 fails to detect malicious torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function calls in pickle files. Attackers can embed undetected code in pickle files that executes remote code when loaded by victims.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pytorch torch *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-71356 is a vulnerability in the picklescan library versions before 0.0.28 that fails to detect malicious use of the PyTorch function torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression within pickle files.

Attackers can craft pickle files embedding this function call in a way that bypasses picklescan's safety checks. When a victim loads such a pickle file using Python's pickle.load(), the embedded malicious code executes remotely.

This vulnerability enables remote code execution through deserialization of untrusted data, affecting users relying on picklescan to detect harmful pickle files in PyTorch models.

Impact Analysis

This vulnerability can lead to remote code execution on your system if you load a maliciously crafted pickle file that exploits the flaw.

It poses a significant risk especially if you use picklescan to verify PyTorch model files or other pickle-based data, as attackers can embed harmful code that executes when the file is loaded.

Such an attack can be used in supply chain compromises, spreading infected files across machine learning models, APIs, or saved Python objects, potentially leading to unauthorized control or data breaches.

Detection Guidance

This vulnerability involves malicious pickle files that use the function torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression to execute remote code when loaded. Detection involves analyzing pickle files for calls to this specific function within the reduce method.

Since picklescan versions before 0.0.28 fail to detect this, you should ensure you are using picklescan 0.0.28 or later to scan pickle files for malicious content.

A practical detection approach is to run picklescan on suspicious pickle files with a command like:

  • picklescan path/to/suspicious_file.pkl

If you do not have picklescan or want to manually inspect, you can use Python commands to load pickle files in a controlled environment and check for suspicious reduce calls, but this requires advanced knowledge and is risky.

Mitigation Strategies

The primary mitigation step is to update picklescan to version 0.0.28 or later, where this vulnerability has been patched.

Avoid loading pickle files from untrusted or unauthenticated sources, as the vulnerability allows remote code execution through malicious pickle files.

Implement strict validation and scanning of all pickle files before loading them in your environment.

Consider using alternative serialization formats that are safer than pickle if possible.

Compliance Impact

The vulnerability allows attackers to execute arbitrary remote code by embedding malicious payloads in pickle files that are not detected by picklescan before version 0.0.28.

Such unauthorized code execution can lead to data breaches, unauthorized access, or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA.

Organizations relying on picklescan for security in their machine learning pipelines or data processing may face increased risk of supply chain attacks, potentially exposing personal or protected health information.

Failure to mitigate this vulnerability by updating picklescan could result in non-compliance with security requirements mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71356. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart