CVE Catalog

CVE-2025-71374

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.64%

46th percentile — higher than 46% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.29 fails to detect the built-in profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon deserialization.

Risk Assessment

The organization is at risk of remote code execution by an attacker who delivers a crafted pickle file to a system using picklescan for scanning. This could lead to system compromise, data theft, or further privilege escalation.

Recommendation

Immediately update picklescan to version 0.0.29 or later. Additionally, consider using extra security measures such as sandboxing the pickle deserialization process.

Original NVD description (English source)

picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon deserialization.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS