CVE Catalog

CVE-2025-71354

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

17th percentile — higher than 17% of all known CVEs

Summary

Picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

Risk Assessment

Organizations may be exposed to arbitrary code execution, leading to potential security breaches and data loss. Exploiting this vulnerability could allow attackers to gain control over the system.

Recommendation

It is recommended to update picklescan to version 0.0.29 or later to mitigate this vulnerability. Additionally, avoid loading pickle files from untrusted sources.

Original NVD description (English source)

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS