CVE Catalog

CVE-2025-71369

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile — higher than 36% of all known CVEs

Summary

A vulnerability in picklescan before version 0.0.28 allows bypassing safety checks by using torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods. Attackers can embed undetected malicious code in pickle files that executes during deserialization.

Risk Assessment

The organization is at risk of remote code execution (RCE) when processing malicious pickle files, potentially leading to system compromise, data theft, or lateral movement within the network.

Recommendation

Immediately update picklescan to version 0.0.28 or later. Additionally, avoid deserializing untrusted pickle files and implement additional validation mechanisms.

Original NVD description (English source)

picklescan before 0.0.28 fails to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, allowing attackers to bypass safety checks. Remote attackers can embed undetected malicious code in pickle files that executes during deserialization, enabling remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS