CVE-2025-71339
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
Picklescan before version 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.
Risk Assessment
Organizations may be exposed to arbitrary code execution, potentially leading to data loss or system compromise. Trusting Picklescan's safety validation can be dangerous when dealing with untrusted pickle files.
Recommendation
It is recommended to update Picklescan to version 0.0.33 or later to mitigate this vulnerability. Additionally, avoid loading pickle files from untrusted sources.
Original NVD description (English source)
Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.

