CVE-2025-71378
7.6
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| picklescan | picklescan | 0 < 0.0.30 | affected |
| picklescan | picklescan | 0.0.30 | unaffected |
Weaknesses
- CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p
- https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-cprofile-runctx-in-pickle-files
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.