CVE-2025-71339: picklescan scanner bypass enables

Q: Is CVE-2025-71339 actively exploited?

No confirmed active exploitation of CVE-2025-71339 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-71339?

1. Upgrade picklescan to ≥0.0.33 immediately — this is the only complete fix. 2. Until patched, do not treat a picklescan 'safe' result as sufficient authorization to load any pickle file from an external or shared source. 3. Prefer safetensors format over pickle for model serialization — it is structurally incapable of embedding executable code. 4. Apply sandbox isolation for any remaining pickle loading: separate process, no network access, minimal filesystem permissions, no cloud credential exposure. 5. Audit all CI/CD pipelines and MLOps workflows that invoke picklescan and enforce a version pin to ≥0.0.33. 6. Retrospectively re-scan artifact stores with the patched scanner version — files that passed pre-0.0.33 scans may be malicious. 7. For detection: alert on unexpected child process spawns or network connections originating from Python processes during model loading; instrument deserialization call sites with process-level monitoring.

Q: What systems are affected by CVE-2025-71339?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD artifact validation, model registries, offline model evaluation workflows.

Q: What is the CVSS score for CVE-2025-71339?

CVE-2025-71339 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length deserialization gadget embedded in pickle __reduce__ methods, meaning attackers can craft malicious model files that pass the scanner's safety check yet execute arbitrary Python code on load. This is a security control bypass — the danger is not just RCE but the false assurance: teams that gate model loading on a clean picklescan result will load malicious files with no warning. Blast radius spans every MLOps pipeline, model registry validation step, and CI/CD workflow relying on picklescan as its primary artifact gate; numpy is ubiquitous in AI/ML environments, making this gadget broadly applicable. There is no public exploit or active exploitation (not in CISA KEV), but the gadget is now documented in the public advisory, lowering the bar significantly. Patch immediately to picklescan ≥0.0.33; until patched, treat all external pickle files as untrusted regardless of scanner output and enforce safetensors as the preferred serialization format.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 8.1 High with real-world risk elevated above the score due to the security control bypass nature: organizations using picklescan as a trust gate face an invisible false-negative gap. Attack complexity is low once the gadget is known and now documented publicly via GHSA. No public PoC or active exploitation reported, and user interaction is required (victim must load the file), which moderates immediacy. However, in AI/ML environments loading external or shared model checkpoints is routine and often automated, reducing the user-interaction friction significantly. Highest risk profile: teams consuming models from public hubs (Hugging Face, open registries) or sharing checkpoints across organizational boundaries with picklescan as the only validation layer.

How does the attack unfold?

Craft Malicious Artifact

Attacker embeds the numpy.f2py.crackfortran._eval_length gadget in a pickle file's __reduce__ method to encapsulate arbitrary Python code execution within a structurally valid artifact.

AML.T0018.002

Scanner Evasion

Victim runs picklescan (<0.0.33) against the file; the gadget is absent from the scanner's blocklist, returning a clean result and granting the file implicit trust.

AML.T0074

User Execution

Trusting the scanner's safe verdict, the victim or an automated pipeline loads the pickle file, triggering deserialization and firing the __reduce__ gadget.

AML.T0011.000

System Compromise

Arbitrary Python code executes in the victim's ML environment — enabling credential exfiltration, reverse shell establishment, data store access, or downstream training data tampering.

AML.T0112.001

Craft Malicious Artifact

Attacker embeds the numpy.f2py.crackfortran._eval_length gadget in a pickle file's __reduce__ method to encapsulate arbitrary Python code execution within a structurally valid artifact.

AML.T0018.002

Scanner Evasion

Victim runs picklescan (<0.0.33) against the file; the gadget is absent from the scanner's blocklist, returning a clean result and granting the file implicit trust.

AML.T0074

User Execution

Trusting the scanner's safe verdict, the victim or an automated pipeline loads the pickle file, triggering deserialization and firing the __reduce__ gadget.

AML.T0011.000

System Compromise

Arbitrary Python code executes in the victim's ML environment — enabling credential exfiltration, reverse shell establishment, data store access, or downstream training data tampering.

AML.T0112.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 74% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

7 steps

Upgrade picklescan to ≥0.0.33 immediately — this is the only complete fix.
Until patched, do not treat a picklescan 'safe' result as sufficient authorization to load any pickle file from an external or shared source.
Prefer safetensors format over pickle for model serialization — it is structurally incapable of embedding executable code.
Apply sandbox isolation for any remaining pickle loading: separate process, no network access, minimal filesystem permissions, no cloud credential exposure.
Audit all CI/CD pipelines and MLOps workflows that invoke picklescan and enforce a version pin to ≥0.0.33.
Retrospectively re-scan artifact stores with the patched scanner version — files that passed pre-0.0.33 scans may be malicious.
For detection: alert on unexpected child process spawns or network connections originating from Python processes during model loading; instrument deserialization call sites with process-level monitoring.

How is it classified?

Code Execution Supply Chain Model Framework AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0074 - Masquerading AML.T0112.001 - AI Artifacts

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain security

NIST AI RMF

GOVERN 6.1 - Policies, processes, and practices for AI risk in the supply chain

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-71339?

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length deserialization gadget embedded in pickle __reduce__ methods, meaning attackers can craft malicious model files that pass the scanner's safety check yet execute arbitrary Python code on load. This is a security control bypass — the danger is not just RCE but the false assurance: teams that gate model loading on a clean picklescan result will load malicious files with no warning. Blast radius spans every MLOps pipeline, model registry validation step, and CI/CD workflow relying on picklescan as its primary artifact gate; numpy is ubiquitous in AI/ML environments, making this gadget broadly applicable. There is no public exploit or active exploitation (not in CISA KEV), but the gadget is now documented in the public advisory, lowering the bar significantly. Patch immediately to picklescan ≥0.0.33; until patched, treat all external pickle files as untrusted regardless of scanner output and enforce safetensors as the preferred serialization format.

Is CVE-2025-71339 actively exploited?

No confirmed active exploitation of CVE-2025-71339 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71339?

1. Upgrade picklescan to ≥0.0.33 immediately — this is the only complete fix. 2. Until patched, do not treat a picklescan 'safe' result as sufficient authorization to load any pickle file from an external or shared source. 3. Prefer safetensors format over pickle for model serialization — it is structurally incapable of embedding executable code. 4. Apply sandbox isolation for any remaining pickle loading: separate process, no network access, minimal filesystem permissions, no cloud credential exposure. 5. Audit all CI/CD pipelines and MLOps workflows that invoke picklescan and enforce a version pin to ≥0.0.33. 6. Retrospectively re-scan artifact stores with the patched scanner version — files that passed pre-0.0.33 scans may be malicious. 7. For detection: alert on unexpected child process spawns or network connections originating from Python processes during model loading; instrument deserialization call sites with process-level monitoring.

What systems are affected by CVE-2025-71339?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD artifact validation, model registries, offline model evaluation workflows.

What is the CVSS score for CVE-2025-71339?

CVE-2025-71339 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps CI/CD artifact validationmodel registriesoffline model evaluation workflows

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0074 Masquerading

AML.T0112.001 AI Artifacts

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.

Exploitation Scenario

An adversary targeting an ML engineering team first identifies the victim uses picklescan for artifact validation — discoverable via public GitHub CI configs, job postings referencing the tool, or open-source project dependencies. The attacker crafts a pickle file embedding the numpy.f2py.crackfortran._eval_length gadget in its __reduce__ method, a gadget absent from picklescan's pre-0.0.33 detection blocklist. The file is published to a namespace-squatting Hugging Face repository or injected into a shared internal model registry via a compromised contributor account. The victim's CI pipeline runs picklescan against the artifact, receives a clean result, promotes it to production, and loads it in the training or inference environment. During deserialization, the __reduce__ method fires and executes arbitrary Python — establishing a reverse shell, exfiltrating cloud credentials from instance metadata, or modifying training data to introduce a backdoor in the next model generation.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.