CVE-2025-71364
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk42th percentile — higher than 42% of all known CVEs
Summary
Picklescan before version 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function that evade detection but execute arbitrary commands when loaded.
Risk Assessment
The risk is remote code execution by an attacker, potentially leading to system compromise, data theft, or lateral movement within the organization's network.
Recommendation
Immediately update picklescan to version 0.0.30 or later, which includes a fix to detect this vulnerability. Additionally, consider restricting the loading of pickle files from untrusted sources.
Original NVD description (English source)
picklescan before 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function that evade detection but execute arbitrary commands when loaded.

