CVE Catalog

CVE-2025-71373

HighCVSS 8.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

36th percentile — higher than 36% of all known CVEs

Summary

The vulnerability in picklescan before version 0.0.33 fails to detect operator.methodcaller function calls in pickle files, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle payloads using operator.methodcaller that execute arbitrary code when loaded.

Risk Assessment

Organizations relying on picklescan for pickle file validation are at risk of remote code execution, which could lead to system compromise, data theft, or further attack escalation.

Recommendation

Immediately update picklescan to version 0.0.33 or later. Until the update is applied, implement additional pickle file validation mechanisms.

Original NVD description (English source)

picklescan before 0.0.33 fails to detect operator.methodcaller function calls in pickle files, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle payloads using operator.methodcaller that execute arbitrary code when loaded, compromising systems relying on picklescan for validation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS