CVE-2025-71369
Received Received - Intake

Pickle Deserialization RCE Bypass in Picklescan

Vulnerability report for CVE-2025-71369, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulnCheck

Description

picklescan before 0.0.28 fails to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, allowing attackers to bypass safety checks. Remote attackers can embed undetected malicious code in pickle files that executes during deserialization, enabling remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pytorch torch *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in picklescan allows remote code execution through unsafe deserialization of malicious pickle files. This can lead to unauthorized access or manipulation of data, which may result in breaches of confidentiality and integrity.

Such security breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

Organizations relying on picklescan for detecting malicious pickle files may face increased risk of data breaches or supply chain attacks if they do not upgrade to the fixed version, potentially leading to non-compliance with these regulations.

Executive Summary

The vulnerability in picklescan before version 0.0.28 is due to its failure to detect malicious pickle files that use the function torch.utils.data.datapipes.utils.decoder.basichandlers in their reduce methods. This allows attackers to bypass the safety checks implemented by picklescan.

As a result, remote attackers can embed malicious code inside pickle files that goes undetected by picklescan. When these pickle files are deserialized, the embedded malicious code executes, enabling remote code execution on the victim's system.

Impact Analysis

This vulnerability can have serious impacts, especially if you rely on picklescan to verify the safety of pickle files used in PyTorch models or other Python objects.

  • Attackers can craft malicious pickle files that bypass detection and execute arbitrary code remotely during deserialization.
  • This can lead to remote code execution on your system without your knowledge.
  • It poses a risk of supply chain attacks where infected pickle files are distributed across machine learning models, APIs, or saved Python objects.

Overall, this vulnerability can compromise the security and integrity of systems that use picklescan for safety checks, potentially leading to unauthorized access or control.

Detection Guidance

This vulnerability involves picklescan versions before 0.0.28 failing to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods. Detection relies on using an updated version of picklescan (0.0.28 or later) which includes the patch to identify such malicious pickle files.

To detect potentially malicious pickle files, you should scan pickle files with picklescan version 0.0.28 or later. There are no specific commands provided in the resources, but a typical command to scan a pickle file would be:

  • picklescan path/to/file.pkl

If you are using an older version of picklescan, it will fail to detect this vulnerability. Therefore, upgrading picklescan is essential for detection.

Mitigation Strategies

The primary mitigation step is to upgrade picklescan to version 0.0.28 or later, where the vulnerability has been patched.

Additionally, avoid deserializing pickle files from untrusted or unauthenticated sources, as the vulnerability allows remote code execution during deserialization.

Review your workflows to ensure that any pickle files used in your environment are scanned with the updated picklescan before loading.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart