CVE Catalog

CVE-2025-71342

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.30 fails to detect malicious pickle files using idlelib.run.Executive.runcode in reduce methods. Attackers can embed undetected code in pickle files that executes during pickle.load, enabling remote code execution in PyTorch models and supply chain attacks.

Risk Assessment

The organization is at risk of remote code execution when loading PyTorch models, which could lead to system compromise, data theft, or malware injection through the supply chain.

Recommendation

Immediately update picklescan to version 0.0.30 or later and scan all pickle files before loading, especially in environments using PyTorch.

Original NVD description (English source)

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.run.Executive.runcode in reduce methods. Attackers can embed undetected code in pickle files that executes during pickle.load, enabling remote code execution in PyTorch models and supply chain attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS