CVE-2025-71361

Summary

picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().

Affected Software

VendorProductVersion RangeStatus
picklescanpicklescan0 < 0.0.29affected
picklescanpicklescan0.0.29unaffected

Weaknesses

  • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References