CVE Catalog

CVE-2025-71347

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile — higher than 36% of all known CVEs

Summary

A vulnerability in picklescan before version 0.0.33 allows bypassing security checks by using the numpy.f2py.crackfortran.param_eval function in reduce methods. Attackers can embed undetected code in pickle files that executes during deserialization.

Risk Assessment

Organizations using picklescan to scan pickle files are at risk of remote code execution. Attackers can deliver a malicious pickle file that bypasses the scanner and executes arbitrary code in applications processing untrusted pickle data.

Recommendation

Immediately update picklescan to version 0.0.33 or later. Additionally, avoid deserializing untrusted pickle files and consider using safer serialization formats.

Original NVD description (English source)

picklescan before 0.0.33 fails to detect malicious pickle files using numpy.f2py.crackfortran.param_eval function in reduce methods, allowing attackers to bypass security checks. Remote attackers can embed undetected code in pickle files that executes during deserialization, enabling arbitrary code execution in applications loading untrusted pickle data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS