CVE-2025-71358
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
Picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load().
Risk Assessment
Organizations may be at risk of executing malicious code, which can lead to data loss or system takeover. Exploitation of this vulnerability could have serious security implications.
Recommendation
It is recommended to update picklescan to version 0.0.29 or later to mitigate the risk associated with this vulnerability. Additionally, avoid loading pickle files from untrusted sources.
Original NVD description (English source)
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load().

