CVE Catalog

CVE-2025-71343

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

A vulnerability in picklescan before version 0.0.30 allows bypassing detection of malicious pickle files exploiting the lib2to3.pgen2.pgen.ParserGenerator.make_label function in the reduce method. Attackers can craft pickle files with embedded code that evades detection but executes arbitrary commands when pickle.load() is called.

Risk Assessment

The organization is at risk of remote code execution (RCE) by loading a crafted pickle file, potentially leading to system compromise, data theft, or further attack propagation.

Recommendation

Immediately update picklescan to version 0.0.30 or later. Additionally, avoid loading pickle files from untrusted sources and consider using safer serialization formats.

Original NVD description (English source)

picklescan before 0.0.30 fails to detect malicious pickle files that exploit lib2to3.pgen2.pgen.ParserGenerator.make_label function in the reduce method. Attackers can craft malicious pickle files with embedded code that evades detection but executes arbitrary commands when pickle.load() is called.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS