CVE Catalog

CVE-2025-71367

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile — higher than 36% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.34 fails to detect _operator.attrgetter function calls in pickle payloads, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using _operator.attrgetter in reduce methods to execute arbitrary code when pickle.load() processes the file.

Risk Assessment

The risk involves potential remote code execution by an attacker, which could lead to system compromise, data theft, or further propagation of the attack within the organization's network.

Recommendation

Immediately update picklescan to version 0.0.34 or later, which includes a fix to detect _operator.attrgetter calls. Additionally, consider using safer deserialization methods for pickle files, such as verifying file origins.

Original NVD description (English source)

picklescan before 0.0.34 fails to detect _operator.attrgetter function calls in pickle payloads, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using _operator.attrgetter in reduce methods to execute arbitrary code when pickle.load() processes the file.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS