CVE Catalog

CVE-2025-71345

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

Picklescan before version 0.0.30 fails to detect malicious pickle files that invoke the torch.utils.bottleneck.__main__.run_autograd_prof function. Attackers can embed undetected code in pickle files that executes during deserialization, enabling remote code execution.

Risk Assessment

The risk is that organizations using Picklescan to scan pickle files may miss malicious payloads, leading to remote code execution and potential system compromise.

Recommendation

It is recommended to immediately update Picklescan to version 0.0.30 or later, which includes a fix to detect this vulnerability.

Original NVD description (English source)

picklescan before 0.0.30 fails to detect malicious pickle files that invoke torch.utils.bottleneck.__main__.run_autograd_prof function. Attackers can embed undetected code in pickle files that executes during deserialization, enabling remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS