CVE Catalog

CVE-2025-71366

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile — higher than 36% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.28 fails to detect malicious torch.utils.bottleneck.__main__.run_cprofile function calls in pickle files, allowing attackers to bypass safety checks. Remote attackers can embed undetected code in pickle files to achieve arbitrary code execution when victims load the files.

Risk Assessment

The organization is at risk of remote code execution (RCE) by loading a crafted pickle file, which could lead to system compromise, data theft, or further attack propagation.

Recommendation

Immediately update picklescan to version 0.0.28 or later, which includes a fix to detect malicious function calls. Additionally, avoid loading pickle files from untrusted sources.

Original NVD description (English source)

picklescan before 0.0.28 fails to detect malicious torch.utils.bottleneck.__main__.run_cprofile function calls in pickle files, allowing attackers to bypass safety checks. Remote attackers can embed undetected code in pickle files to achieve arbitrary code execution when victims load the files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS