AI Threat Alert

CVE-2025-71341: picklescan: scanner bypass enables undetected RCE via pickle

HIGH
Published June 23, 2026
CISO Take

picklescan, the de-facto open-source scanner used to gate malicious pickle files in ML pipelines, fails to detect payloads built around Python's native profiling API (profile.Profile.runctx), allowing an attacker to deliver a fully functional RCE payload that passes scanner checks undetected. The critical concern for CISOs is that this is a bypass of the security control itself: organizations relying on picklescan as their primary defense against malicious model files in HuggingFace Hub pulls, internal model registries, or MLOps CI gates have a false sense of assurance — their pipeline believes it scanned clean when it did not. No EPSS data is available yet and CISA KEV is not triggered, but the exploitation bar is low (CVSS AC:L, no privileges needed) and the technique is straightforwardly documentable from the public GHSA advisory. Upgrade picklescan to 0.0.29 immediately; as defense-in-depth, execute model deserialization inside sandboxed or isolated processes rather than trusting scanner output as the sole control.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for any ML/AI team that uses picklescan as a security gate before loading pickle-serialized models or data. The vulnerability directly undermines the control, meaning teams gain no protection against a crafted payload. CVSS 8.1 reflects low attack complexity with no privileges required, though user interaction (loading the file) is needed — easily satisfied in automated training or CI pipelines that pull models from shared registries. Risk is amplified because picklescan is specifically deployed in security-conscious environments; bypassing it removes the last line of defense before deserialization occurs.

How does the attack unfold?

Craft Malicious Artifact
Attacker creates a pickle file whose __reduce__ method invokes profile.Profile.runctx with an arbitrary OS command as payload, exploiting the scanner's blind spot.
AML.T0011.000
Evade Scanner
Malicious pickle file is submitted to a pipeline guarded by picklescan <0.0.29; the scanner does not recognize profile.Profile.runctx and marks the file as clean.
AML.T0074
Supply Chain Injection
The falsely cleared artifact is promoted to the approved model registry or artifact store, entering the trusted supply chain.
AML.T0010.001
Remote Code Execution
When a training worker, CI job, or inference server deserializes the file, the embedded payload fires and executes attacker-controlled commands with the process's privileges.
AML.T0018.002

What systems are affected?

Package Ecosystem Vulnerable Range Patched
picklescan pip No patch
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A None

What should I do?

5 steps

  1. Patch: upgrade picklescan to >=0.0.29 immediately on all systems where it is installed (pip install --upgrade picklescan).

  2. Verify patch: re-scan any model artifacts that passed through picklescan <0.0.29 since they may have been falsely cleared.

  3. Defense-in-depth: do not rely solely on scanner-pass as a trust signal; deserialize pickle files inside restricted sandbox environments (e.g., gVisor, Firecracker, restricted subprocess with no outbound network).

  4. Prefer safer serialization formats (safetensors, ONNX) for model sharing; prohibit raw pickle where alternatives exist.

  5. Detection: review process execution logs around model load events for anomalous child processes; audit picklescan version deployed in CI/CD jobs.

How is it classified?

Code Execution Supply Chain Model Framework AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0074

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2025-71341?

picklescan, the de-facto open-source scanner used to gate malicious pickle files in ML pipelines, fails to detect payloads built around Python's native profiling API (profile.Profile.runctx), allowing an attacker to deliver a fully functional RCE payload that passes scanner checks undetected. The critical concern for CISOs is that this is a bypass of the security control itself: organizations relying on picklescan as their primary defense against malicious model files in HuggingFace Hub pulls, internal model registries, or MLOps CI gates have a false sense of assurance — their pipeline believes it scanned clean when it did not. No EPSS data is available yet and CISA KEV is not triggered, but the exploitation bar is low (CVSS AC:L, no privileges needed) and the technique is straightforwardly documentable from the public GHSA advisory. Upgrade picklescan to 0.0.29 immediately; as defense-in-depth, execute model deserialization inside sandboxed or isolated processes rather than trusting scanner output as the sole control.

Is CVE-2025-71341 actively exploited?

No confirmed active exploitation of CVE-2025-71341 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71341?

1. Patch: upgrade picklescan to >=0.0.29 immediately on all systems where it is installed (pip install --upgrade picklescan). 2. Verify patch: re-scan any model artifacts that passed through picklescan <0.0.29 since they may have been falsely cleared. 3. Defense-in-depth: do not rely solely on scanner-pass as a trust signal; deserialize pickle files inside restricted sandbox environments (e.g., gVisor, Firecracker, restricted subprocess with no outbound network). 4. Prefer safer serialization formats (safetensors, ONNX) for model sharing; prohibit raw pickle where alternatives exist. 5. Detection: review process execution logs around model load events for anomalous child processes; audit picklescan version deployed in CI/CD jobs.

What systems are affected by CVE-2025-71341?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries.

What is the CVSS score for CVE-2025-71341?

CVE-2025-71341 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps CI/CD pipelinesmodel registries

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0074 Masquerading

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, 8.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution when the pickle file is loaded.

Exploitation Scenario

An attacker contributes a 'fine-tuned' model to an internal model registry or uploads a poisoned checkpoint to a shared S3 bucket. The file's __reduce__ method is crafted to invoke profile.Profile.runctx with a reverse shell command. The MLOps CI pipeline runs picklescan against the artifact — picklescan does not recognize the profile.Profile.runctx opcode and marks the file as clean. The artifact is promoted to the approved model store. When a downstream training job or inference worker calls torch.load() or pickle.load() on the approved file, the embedded runctx payload fires, executing arbitrary OS commands with the permissions of the ML worker process — granting the attacker lateral movement into training infrastructure, access to cloud credentials, and potential data exfiltration.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Timeline

Published
June 23, 2026
Last Modified
June 23, 2026
First Seen
June 23, 2026

Related Vulnerabilities

CRITICAL CVE-2026-3490 10.0

picklescan: blocklist bypass enables full RCE

Same package: picklescan
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same package: picklescan
CRITICAL GHSA-g38g-8gr9-h9xp 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL CVE-2025-1945 9.8

picklescan: ZIP flag bypass enables RCE in PyTorch models

Same package: picklescan
CRITICAL GHSA-7wx9-6375-f5wh 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
Back to Threat Feed