CVE Catalog

CVE-2025-71320

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

Picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.

Risk Assessment

Organizations are exposed to remote attacks that can lead to unauthorized code execution, potentially resulting in data loss or system takeover.

Recommendation

It is recommended to update picklescan to version 0.0.33 or later to block dangerous functions and secure the system against potential attacks.

Original NVD description (English source)

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS