CVE Catalog

CVE-2025-71349

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.56%

43th percentile — higher than 43% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files. This allows attackers to embed undetected malicious code that can be executed when pickle.load processes the file.

Risk Assessment

The organization is at risk of remote code execution via crafted pickle files, potentially leading to system compromise, data theft, or lateral movement within the network.

Recommendation

Immediately update picklescan to version 0.0.29 or later. Additionally, avoid processing pickle files from untrusted sources and implement input validation mechanisms.

Original NVD description (English source)

picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using trace.Trace.run in the reduce method to achieve arbitrary code execution when pickle.load processes the file.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS