CVE-2025-71367
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk36th percentile — higher than 36% of all known CVEs
Summary
The vulnerability in picklescan before version 0.0.34 fails to detect _operator.attrgetter function calls in pickle payloads, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using _operator.attrgetter in reduce methods to execute arbitrary code when pickle.load() processes the file.
Risk Assessment
The risk involves potential remote code execution by an attacker, which could lead to system compromise, data theft, or further propagation of the attack within the organization's network.
Recommendation
Immediately update picklescan to version 0.0.34 or later, which includes a fix to detect _operator.attrgetter calls. Additionally, consider using safer deserialization methods for pickle files, such as verifying file origins.
Original NVD description (English source)
picklescan before 0.0.34 fails to detect _operator.attrgetter function calls in pickle payloads, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using _operator.attrgetter in reduce methods to execute arbitrary code when pickle.load() processes the file.

