CVE Catalog

CVE-2025-71339

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile - higher than 22% of all known CVEs

Summary

Picklescan before version 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.

Risk Assessment

Organizations may be exposed to arbitrary code execution, potentially leading to data loss or system compromise. Trusting Picklescan's safety validation can be dangerous when dealing with untrusted pickle files.

Recommendation

It is recommended to update Picklescan to version 0.0.33 or later to mitigate this vulnerability. Additionally, avoid loading pickle files from untrusted sources.

Original NVD description (English source)

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS