CVE-2025-71356
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Picklescan before version 0.0.28 fails to detect malicious torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function calls in pickle files. Attackers can embed undetected code in pickle files that executes remote code when loaded by victims.
Risk Assessment
The organization is at risk of remote code execution (RCE) by loading a crafted pickle file, which could lead to system compromise, data theft, or further attack escalation.
Recommendation
Immediately update picklescan to version 0.0.28 or later and scan all existing pickle files for potentially malicious payloads.
Original NVD description (English source)
picklescan before 0.0.28 fails to detect malicious torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function calls in pickle files. Attackers can embed undetected code in pickle files that executes remote code when loaded by victims.

