CVE Catalog

CVE-2025-71344

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

28th percentile - higher than 28% of all known CVEs

Summary

Picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.

Risk Assessment

Organizations may be exposed to remote code execution by attackers, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to update picklescan to version 0.0.30 or later to mitigate this vulnerability.

Original NVD description (English source)

picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS