CVE-2025-71344
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
Picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.
Risk Assessment
Organizations may be exposed to remote code execution by attackers, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to update picklescan to version 0.0.30 or later to mitigate this vulnerability.
Original NVD description (English source)
picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.

