CVE-2025-71344: picklescan scanner bypass enables

CISO Take

picklescan versions 0.0.26 and earlier fail to detect the Python built-in ensurepip._run_pip when embedded in a pickle file's __reduce__ method, meaning malicious ML model files crafted with this technique pass the scanner clean and execute arbitrary code on pickle.load(). This is a false-negative in a security control — teams relying on picklescan as the primary gate before loading third-party or user-supplied models now have a verified blind spot that adversaries can exploit with minimal skill once the bypass is public knowledge. While no active exploitation or public exploit code has been confirmed (not in CISA KEV, no EPSS data), pickle-based RCE has been weaponized before in ML supply chain attacks, and the technique is trivially reproduced from the advisory. Upgrade picklescan to 0.0.30 immediately and re-scan any model artifacts previously cleared by the affected versions.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

HIGH risk for AI/ML teams using picklescan 0.0.26 or earlier as a security gate in model ingestion pipelines. The vulnerability is a complete detection bypass, not a partial miss — any pickle file embedding ensurepip._run_pip as a __reduce__ callable receives a clean bill of health from the scanner. CVSS 8.1 reflects high confidentiality and integrity impact with no privileges required. User interaction (calling pickle.load()) is the normal and expected behavior in model-loading workflows, meaning the friction for exploitation is essentially zero once a malicious file reaches the pipeline. No KEV listing and no EPSS score indicate no confirmed in-the-wild exploitation yet, but post-disclosure weaponization is low-barrier. Organizations with automated model ingestion pipelines that gate on picklescan output face the highest exposure.

How does the attack unfold?

Craft Malicious Model

Attacker creates a pickle file with a __reduce__ method that invokes ensurepip._run_pip to execute an attacker-controlled payload on deserialization.

AML.T0018.002

Bypass Security Scanner

The malicious file is submitted to picklescan 0.0.26 or earlier, which does not flag ensurepip._run_pip and returns a clean result, granting the artifact false legitimacy.

AML.T0107

Deliver to Target Pipeline

Attacker distributes the scanner-cleared model via a public hub, email attachment, or supply chain channel; the clean scan result lowers victim suspicion and bypasses manual review gates.

AML.T0011.000

Remote Code Execution

Target ML pipeline calls pickle.load() on the file during normal model loading, triggering the embedded payload and granting the attacker arbitrary code execution inside the inference or training environment.

AML.T0072

Craft Malicious Model

Attacker creates a pickle file with a __reduce__ method that invokes ensurepip._run_pip to execute an attacker-controlled payload on deserialization.

AML.T0018.002

Bypass Security Scanner

The malicious file is submitted to picklescan 0.0.26 or earlier, which does not flag ensurepip._run_pip and returns a clean result, granting the artifact false legitimacy.

AML.T0107

Deliver to Target Pipeline

Attacker distributes the scanner-cleared model via a public hub, email attachment, or supply chain channel; the clean scan result lowers victim suspicion and bypasses manual review gates.

AML.T0011.000

Remote Code Execution

Target ML pipeline calls pickle.load() on the file during normal model loading, triggering the embedded payload and granting the attacker arbitrary code execution inside the inference or training environment.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 74% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

Patch immediately: upgrade picklescan to 0.0.30 or later — this is the only fix.
Audit trust gap: any model artifact scanned clean by versions 0.0.26 and earlier cannot be trusted; re-scan the full model inventory with the patched version before next use.
Prefer safe serialization: migrate model serialization to safetensors format where possible — it does not support arbitrary code execution by design and eliminates this attack class entirely.
Sandbox model loading: run pickle.load() operations in isolated containers with dropped capabilities, no network egress, and read-only filesystem mounts to limit RCE blast radius.
Manual indicator: grep model files for 'ensurepip' strings as a stop-gap detection heuristic while patching is in progress.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system supply chain management A.9.3 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-71344?

picklescan versions 0.0.26 and earlier fail to detect the Python built-in ensurepip._run_pip when embedded in a pickle file's __reduce__ method, meaning malicious ML model files crafted with this technique pass the scanner clean and execute arbitrary code on pickle.load(). This is a false-negative in a security control — teams relying on picklescan as the primary gate before loading third-party or user-supplied models now have a verified blind spot that adversaries can exploit with minimal skill once the bypass is public knowledge. While no active exploitation or public exploit code has been confirmed (not in CISA KEV, no EPSS data), pickle-based RCE has been weaponized before in ML supply chain attacks, and the technique is trivially reproduced from the advisory. Upgrade picklescan to 0.0.30 immediately and re-scan any model artifacts previously cleared by the affected versions.

Is CVE-2025-71344 actively exploited?

No confirmed active exploitation of CVE-2025-71344 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71344?

1. Patch immediately: upgrade picklescan to 0.0.30 or later — this is the only fix. 2. Audit trust gap: any model artifact scanned clean by versions 0.0.26 and earlier cannot be trusted; re-scan the full model inventory with the patched version before next use. 3. Prefer safe serialization: migrate model serialization to safetensors format where possible — it does not support arbitrary code execution by design and eliminates this attack class entirely. 4. Sandbox model loading: run pickle.load() operations in isolated containers with dropped capabilities, no network egress, and read-only filesystem mounts to limit RCE blast radius. 5. Manual indicator: grep model files for 'ensurepip' strings as a stop-gap detection heuristic while patching is in progress.

What systems are affected by CVE-2025-71344?

This vulnerability affects the following AI/ML architecture patterns: Model serving pipelines, Training pipelines, MLOps model registries, Model fine-tuning workflows, Automated model ingestion pipelines.

What is the CVSS score for CVE-2025-71344?

CVE-2025-71344 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

Model serving pipelinesTraining pipelinesMLOps model registriesModel fine-tuning workflowsAutomated model ingestion pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0074 Masquerading

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6, A.9.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.

Exploitation Scenario

An adversary uploads a malicious model checkpoint to a public model hub or delivers it to a target as a 'fine-tuned' variant of a popular base model. The file is a standard pickle archive with a class whose __reduce__ method returns (ensurepip._run_pip, (['pip', 'install', 'attacker-package'],)) or similar payload delivering a reverse shell. The target organization's MLOps pipeline scans the file with picklescan 0.0.26 — the scan returns no threats found. The pipeline proceeds to load the model on a GPU inference server, triggering pickle.load(), which executes the payload. The attacker receives a shell inside the inference cluster with access to model weights, training data stores, and internal API credentials present in environment variables.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.