CVE-2025-71362
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
The vulnerability in picklescan before version 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources.
Risk Assessment
The organization is at risk of remote code execution (RCE) when processing pickle files from untrusted sources, which could lead to system compromise, data theft, or further attack propagation within the network.
Recommendation
Immediately update picklescan to version 0.0.33 or later. Additionally, avoid loading pickle files from untrusted sources and consider using safer serialization formats such as JSON.
Original NVD description (English source)
picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources.

