CVE-2025-71349
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
The vulnerability in picklescan before version 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files. This allows attackers to embed undetected malicious code that can be executed when pickle.load processes the file.
Risk Assessment
The organization is at risk of remote code execution via crafted pickle files, potentially leading to system compromise, data theft, or lateral movement within the network.
Recommendation
Immediately update picklescan to version 0.0.29 or later. Additionally, avoid processing pickle files from untrusted sources and implement input validation mechanisms.
Original NVD description (English source)
picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using trace.Trace.run in the reduce method to achieve arbitrary code execution when pickle.load processes the file.

