CVE-2025-71357: picklescan detection bypass enables

CISO Take

picklescan, a widely-deployed security scanner for detecting malicious pickle files in AI/ML pipelines, contains a detection bypass that allows attackers to craft pickle payloads using `idlelib.pyshell.ModifiedInterpreter.runcommand` in reduce methods—code that executes on load but goes completely undetected by versions before 0.0.30. For organizations using picklescan as the primary security gate before loading model files—a common pattern in MLOps pipelines, model registries, and Hugging Face workflows—this creates a critical false-sense-of-security gap: files are marked clean but remain capable of arbitrary remote code execution with high confidentiality and integrity impact (CVSS 8.1). No public exploit or CISA KEV listing exists yet, but the low attack complexity and the tool's trusted role as a defense layer elevate practical risk significantly, particularly given 73 prior CVEs in the same package signaling a repeatedly targeted attack surface. Upgrade to picklescan 0.0.30 or later immediately and complement scanning with safetensors as the preferred model serialization format for new deployments.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

This is a defense evasion vulnerability in a security tool, which is categorically more dangerous than the same flaw in a general library—organizations that have integrated picklescan into their pipeline believe they are protected when they are not. CVSS 8.1 High with low complexity and no required privileges means an attacker only needs to deliver a crafted pickle file; the user-interaction requirement is trivially satisfied in any model-sharing workflow where a data scientist or pipeline loads an externally-sourced checkpoint. With 73 prior CVEs in the same package, this tool has a sustained history of evasion research targeting it, and the 3 downstream dependents inherit the false-confidence risk.

How does the attack unfold?

Artifact Crafting

Adversary crafts a malicious pickle file using idlelib.pyshell.ModifiedInterpreter.runcommand in a reduce method to embed arbitrary remote code execution.

AML.T0011.000

Scanner Evasion

The crafted pickle file is scanned by picklescan pre-0.0.30, which fails to detect the malicious reduce method and issues a clean verdict.

AML.T0107

Model Distribution

The scanner-approved malicious file is published to a model registry, shared storage, or delivered via social engineering targeting ML engineers or CI/CD pipelines.

AML.T0010.001

Code Execution

Victim loads the approved pickle file in their ML environment, triggering the embedded payload and achieving remote code execution with the process's privileges and data access.

AML.T0018.002

Artifact Crafting

Adversary crafts a malicious pickle file using idlelib.pyshell.ModifiedInterpreter.runcommand in a reduce method to embed arbitrary remote code execution.

AML.T0011.000

Scanner Evasion

The crafted pickle file is scanned by picklescan pre-0.0.30, which fails to detect the malicious reduce method and issues a clean verdict.

AML.T0107

Model Distribution

The scanner-approved malicious file is published to a model registry, shared storage, or delivered via social engineering targeting ML engineers or CI/CD pipelines.

AML.T0010.001

Code Execution

Victim loads the approved pickle file in their ML environment, triggering the embedded payload and achieving remote code execution with the process's privileges and data access.

AML.T0018.002

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 77% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

Upgrade picklescan to version 0.0.30 or later immediately—this is the patched release per the advisory.
Audit any pickle files scanned and approved by previous versions; treat them as potentially compromised until re-scanned.
Migrate new model serialization to safetensors format, which prohibits arbitrary code execution by design.
Add defense-in-depth: load externally-sourced models in sandboxed environments (gVisor, Firecracker, subprocess isolation) regardless of scanner verdict.
Interim detection: search pickle files for the strings 'idlelib' or 'ModifiedInterpreter' via grep or binary inspection as a stopgap until upgraded.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to manage AI risks are integrated into risk management processes MAP-1.5 - Organizational risk tolerances are determined and documented

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-71357?

picklescan, a widely-deployed security scanner for detecting malicious pickle files in AI/ML pipelines, contains a detection bypass that allows attackers to craft pickle payloads using `idlelib.pyshell.ModifiedInterpreter.runcommand` in reduce methods—code that executes on load but goes completely undetected by versions before 0.0.30. For organizations using picklescan as the primary security gate before loading model files—a common pattern in MLOps pipelines, model registries, and Hugging Face workflows—this creates a critical false-sense-of-security gap: files are marked clean but remain capable of arbitrary remote code execution with high confidentiality and integrity impact (CVSS 8.1). No public exploit or CISA KEV listing exists yet, but the low attack complexity and the tool's trusted role as a defense layer elevate practical risk significantly, particularly given 73 prior CVEs in the same package signaling a repeatedly targeted attack surface. Upgrade to picklescan 0.0.30 or later immediately and complement scanning with safetensors as the preferred model serialization format for new deployments.

Is CVE-2025-71357 actively exploited?

No confirmed active exploitation of CVE-2025-71357 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71357?

1. Upgrade picklescan to version 0.0.30 or later immediately—this is the patched release per the advisory. 2. Audit any pickle files scanned and approved by previous versions; treat them as potentially compromised until re-scanned. 3. Migrate new model serialization to safetensors format, which prohibits arbitrary code execution by design. 4. Add defense-in-depth: load externally-sourced models in sandboxed environments (gVisor, Firecracker, subprocess isolation) regardless of scanner verdict. 5. Interim detection: search pickle files for the strings 'idlelib' or 'ModifiedInterpreter' via grep or binary inspection as a stopgap until upgraded.

What systems are affected by CVE-2025-71357?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, model registries, CI/CD model validation.

What is the CVSS score for CVE-2025-71357?

CVE-2025-71357 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps pipelinesmodel registriesCI/CD model validation

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-2.2, MAP-1.5

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims.

Exploitation Scenario

An adversary targeting an MLOps team publishes a shared PyTorch model checkpoint as a pickle file crafted to use `idlelib.pyshell.ModifiedInterpreter.runcommand` in its reduce method, embedding a reverse shell or credential harvester. The victim organization's CI/CD pipeline runs picklescan on all incoming models; this file passes the scan and is approved for use. When a data scientist or inference server loads the model for evaluation, the embedded payload executes in the ML environment with access to training data, API keys in environment variables, and internal network resources—all while the pipeline logs show a clean security scan.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.