CVE-2025-71354
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
Picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.
Risk Assessment
Organizations may be exposed to arbitrary code execution, leading to potential security breaches and data loss. Exploiting this vulnerability could allow attackers to gain control over the system.
Recommendation
It is recommended to update picklescan to version 0.0.29 or later to mitigate this vulnerability. Additionally, avoid loading pickle files from untrusted sources.
Original NVD description (English source)
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

