CVE Catalog

CVE-2025-71364

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.56%

42th percentile — higher than 42% of all known CVEs

Summary

Picklescan before version 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function that evade detection but execute arbitrary commands when loaded.

Risk Assessment

The risk is remote code execution by an attacker, potentially leading to system compromise, data theft, or lateral movement within the organization's network.

Recommendation

Immediately update picklescan to version 0.0.30 or later, which includes a fix to detect this vulnerability. Additionally, consider restricting the loading of pickle files from untrusted sources.

Original NVD description (English source)

picklescan before 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function that evade detection but execute arbitrary commands when loaded.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS