CVE Catalog

CVE-2025-71363

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.59%

44th percentile — higher than 44% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.30 fails to detect cProfile.run function calls in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files with cProfile.run payloads that bypass picklescan detection and achieve code execution upon deserialization.

Risk Assessment

The organization is at risk of remote code execution through deserialization of malicious pickle files, which could lead to system compromise, data theft, or further attack propagation.

Recommendation

Immediately update picklescan to version 0.0.30 or later, which includes a fix to detect cProfile.run calls. Additionally, consider restricting deserialization of untrusted pickle data.

Original NVD description (English source)

picklescan before 0.0.30 fails to detect cProfile.run function calls in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files with cProfile.run payloads that bypass picklescan detection and achieve code execution upon deserialization.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS