CVE Catalog

CVE-2025-71359

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

A vulnerability in picklescan before version 0.0.29 allows bypassing detection of malicious pickle payloads that use the lib2to3.pgen2.grammar.Grammar.loads method in the reduce function. Attackers can craft pickle files embedding dangerous code that evades detection and executes during pickle.load() deserialization.

Risk Assessment

The risk involves remote code execution by an attacker who delivers a crafted pickle file to the system. This could lead to application or server compromise, data theft, or further attack escalation.

Recommendation

Immediately update picklescan to version 0.0.29 or later. Additionally, consider restricting pickle deserialization to trusted sources and using alternative, safer serialization formats.

Original NVD description (English source)

picklescan before 0.0.29 fails to detect malicious pickle payloads that utilize lib2to3.pgen2.grammar.Grammar.loads in the reduce method, allowing remote code execution. Attackers can craft pickle files embedding dangerous code that evades picklescan detection and executes during pickle.load() deserialization.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS