CVE-2025-71369
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk36th percentile — higher than 36% of all known CVEs
Summary
A vulnerability in picklescan before version 0.0.28 allows bypassing safety checks by using torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods. Attackers can embed undetected malicious code in pickle files that executes during deserialization.
Risk Assessment
The organization is at risk of remote code execution (RCE) when processing malicious pickle files, potentially leading to system compromise, data theft, or lateral movement within the network.
Recommendation
Immediately update picklescan to version 0.0.28 or later. Additionally, avoid deserializing untrusted pickle files and implement additional validation mechanisms.
Original NVD description (English source)
picklescan before 0.0.28 fails to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, allowing attackers to bypass safety checks. Remote attackers can embed undetected malicious code in pickle files that executes during deserialization, enabling remote code execution.

