CVE Catalog

CVE-2025-71362

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources.

Risk Assessment

The organization is at risk of remote code execution (RCE) when processing pickle files from untrusted sources, which could lead to system compromise, data theft, or further attack propagation within the network.

Recommendation

Immediately update picklescan to version 0.0.33 or later. Additionally, avoid loading pickle files from untrusted sources and consider using safer serialization formats such as JSON.

Original NVD description (English source)

picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS