CVE-2025-71354: picklescan scanner bypass enables

Q: Is CVE-2025-71354 actively exploited?

No confirmed active exploitation of CVE-2025-71354 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-71354?

1. PATCH: Upgrade picklescan to version 0.0.29 or later immediately. Audit all CI/CD environments, Docker base images, and local developer tooling for pinned older versions. 2. FORMAT MIGRATION: Migrate model exchange to safetensors format where possible — it is architecturally safe for deserialization without requiring a scanner. 3. SANDBOXING: Run any remaining pickle.load() calls in isolated environments (restricted containers, gVisor, or Python subprocess with limited builtins) so that code execution cannot propagate to host infrastructure or adjacent services. 4. DETECTION: Search CI/CD configs, Dockerfiles, and requirements files for picklescan version pins below 0.0.29. Until fully patched, treat all picklescan PASS results on externally sourced files as untrusted and require secondary validation. 5. SUPPLY CHAIN CONTROLS: Restrict trusted model registry sources and require cryptographic artifact signing (e.g., Sigstore/cosign) on model files ingested by production pipelines to reduce the injection surface.

Q: What systems are affected by CVE-2025-71354?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines with model scanning gates, model registries, model serving infrastructure, training pipelines, AI security toolchains.

Q: What is the CVSS score for CVE-2025-71354?

CVE-2025-71354 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

picklescan before 0.0.29 fails to detect malicious pickle payloads that abuse Python's idlelib.debugobj.ObjectTreeItem.SetText in reduce methods, meaning any pipeline relying on picklescan as a security gate before calling pickle.load() is silently unprotected against this specific evasion technique. This is a security tool bypass — an attacker who can inject a crafted model file into your supply chain or shared model registry gets code execution on any system that loads it, with no privileges required and low attack complexity (CVSS 8.1), and only 3 tracked downstream dependents understates real-world exposure since picklescan is commonly invoked directly in CI/CD scripts rather than as a library dependency. Although no public exploit exists yet and the CVE is not in CISA KEV, scanner bypasses are particularly dangerous because they eliminate a defense while generating false confidence; picklescan's history of 83 CVEs signals it is actively researched as an evasion target. Upgrade to picklescan ≥0.0.29 immediately, migrate model exchange to safetensors format where feasible, and treat all picklescan PASS results on externally sourced files as untrusted until patched environments are confirmed.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Risk is HIGH. The CVSS 8.1 vector (AV:N/AC:L/PR:N/UI:R) reflects low attack complexity with no privileges required; the User Interaction Required component maps to a human or automated process calling pickle.load(), which in MLOps pipelines often happens automatically as part of model loading workflows. The critical compounding factor is that this is a security control bypass — organizations deploying picklescan have implicitly accepted pickle as a format on the assumption that scanning catches threats, and this CVE silently invalidates that assumption. No EPSS data is available and no public exploit has been published, slightly reducing immediate exploitation likelihood, but the technique's specificity (a named Python standard library function in an evasion context) suggests it may already circulate in adversary toolkits. CWE-502 (Deserialization of Untrusted Data) is the root weakness, and picklescan's 83-CVE history indicates it is a sustained research target for evasion techniques rather than an isolated finding.

How does the attack unfold?

Craft Bypass Payload

Adversary creates a pickle file with malicious reduce method code that invokes idlelib.debugobj.ObjectTreeItem.SetText — a Python stdlib path deliberately chosen because picklescan's detection signatures do not flag it.

AML.T0017.000

Inject into Supply Chain

Adversary uploads the crafted file to a public model registry or inserts it into an internal model repository, presenting it as a legitimate pre-trained model or checkpoint artifact.

AML.T0010.001

Scanner Bypass

Victim's CI/CD pipeline runs picklescan < 0.0.29 on the file; the scan returns CLEAN because the evasion technique is undetected, silently removing the only security gate before model promotion.

AML.T0107

Arbitrary Code Execution

Production pipeline calls pickle.load() on the promoted artifact, triggering the embedded payload to execute arbitrary commands with ML worker process privileges, enabling data exfiltration or infrastructure takeover.

AML.T0072

Craft Bypass Payload

Adversary creates a pickle file with malicious reduce method code that invokes idlelib.debugobj.ObjectTreeItem.SetText — a Python stdlib path deliberately chosen because picklescan's detection signatures do not flag it.

AML.T0017.000

Inject into Supply Chain

Adversary uploads the crafted file to a public model registry or inserts it into an internal model repository, presenting it as a legitimate pre-trained model or checkpoint artifact.

AML.T0010.001

Scanner Bypass

Victim's CI/CD pipeline runs picklescan < 0.0.29 on the file; the scan returns CLEAN because the evasion technique is undetected, silently removing the only security gate before model promotion.

AML.T0107

Arbitrary Code Execution

Production pipeline calls pickle.load() on the promoted artifact, triggering the embedded payload to execute arbitrary commands with ML worker process privileges, enabling data exfiltration or infrastructure takeover.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 68% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

PATCH

Upgrade picklescan to version 0.0.29 or later immediately. Audit all CI/CD environments, Docker base images, and local developer tooling for pinned older versions.
FORMAT MIGRATION

Migrate model exchange to safetensors format where possible — it is architecturally safe for deserialization without requiring a scanner.
SANDBOXING

Run any remaining pickle.load() calls in isolated environments (restricted containers, gVisor, or Python subprocess with limited builtins) so that code execution cannot propagate to host infrastructure or adjacent services.
DETECTION

Search CI/CD configs, Dockerfiles, and requirements files for picklescan version pins below 0.0.29. Until fully patched, treat all picklescan PASS results on externally sourced files as untrusted and require secondary validation.
SUPPLY CHAIN CONTROLS

Restrict trusted model registry sources and require cryptographic artifact signing (e.g., Sigstore/cosign) on model files ingested by production pipelines to reduce the injection surface.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1 - Actions to address AI risks A.8.2 - AI system security

NIST AI RMF

MANAGE-2.2 - Risk treatments and responses

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-71354?

picklescan before 0.0.29 fails to detect malicious pickle payloads that abuse Python's idlelib.debugobj.ObjectTreeItem.SetText in reduce methods, meaning any pipeline relying on picklescan as a security gate before calling pickle.load() is silently unprotected against this specific evasion technique. This is a security tool bypass — an attacker who can inject a crafted model file into your supply chain or shared model registry gets code execution on any system that loads it, with no privileges required and low attack complexity (CVSS 8.1), and only 3 tracked downstream dependents understates real-world exposure since picklescan is commonly invoked directly in CI/CD scripts rather than as a library dependency. Although no public exploit exists yet and the CVE is not in CISA KEV, scanner bypasses are particularly dangerous because they eliminate a defense while generating false confidence; picklescan's history of 83 CVEs signals it is actively researched as an evasion target. Upgrade to picklescan ≥0.0.29 immediately, migrate model exchange to safetensors format where feasible, and treat all picklescan PASS results on externally sourced files as untrusted until patched environments are confirmed.

Is CVE-2025-71354 actively exploited?

No confirmed active exploitation of CVE-2025-71354 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71354?

1. PATCH: Upgrade picklescan to version 0.0.29 or later immediately. Audit all CI/CD environments, Docker base images, and local developer tooling for pinned older versions. 2. FORMAT MIGRATION: Migrate model exchange to safetensors format where possible — it is architecturally safe for deserialization without requiring a scanner. 3. SANDBOXING: Run any remaining pickle.load() calls in isolated environments (restricted containers, gVisor, or Python subprocess with limited builtins) so that code execution cannot propagate to host infrastructure or adjacent services. 4. DETECTION: Search CI/CD configs, Dockerfiles, and requirements files for picklescan version pins below 0.0.29. Until fully patched, treat all picklescan PASS results on externally sourced files as untrusted and require secondary validation. 5. SUPPLY CHAIN CONTROLS: Restrict trusted model registry sources and require cryptographic artifact signing (e.g., Sigstore/cosign) on model files ingested by production pipelines to reduce the injection surface.

What systems are affected by CVE-2025-71354?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines with model scanning gates, model registries, model serving infrastructure, training pipelines, AI security toolchains.

What is the CVSS score for CVE-2025-71354?

CVE-2025-71354 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

MLOps pipelines with model scanning gatesmodel registriesmodel serving infrastructuretraining pipelinesAI security toolchains

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0074 Masquerading

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.1, A.8.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

Exploitation Scenario

An adversary targeting an organization's ML pipeline crafts a pickle file embedding a reverse shell payload that invokes idlelib.debugobj.ObjectTreeItem.SetText inside a reduce method — this stdlib path is deliberately chosen because picklescan's detection logic does not flag it. The adversary publishes the file to a public Hugging Face repository as a fine-tuned model checkpoint, or injects it into an internal S3-backed model registry. The victim organization's CI/CD pipeline runs picklescan on ingested model files before promotion to production; the scan reports CLEAN. The pipeline proceeds to call torch.load() or pickle.load() on the promoted artifact, triggering the embedded payload, which establishes an outbound connection to the adversary's infrastructure. From that foothold the adversary has shell access to the ML pipeline worker with full access to GPU cluster credentials, training data stores, and production API keys present in the environment — enabling data exfiltration, model tampering, or deeper lateral movement.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.