CVE-2025-71361: picklescan scanner bypass allows RCE

Q: Is CVE-2025-71361 actively exploited?

No confirmed active exploitation of CVE-2025-71361 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-71361?

1. Upgrade picklescan to 0.0.29 or later immediately — this is the primary fix addressing the idlelib.calltip.Calltip.fetch_tip bypass. 2. Re-scan all pickle files previously cleared by versions before 0.0.29, prioritizing files received from external sources or shared via model registries. 3. As defense-in-depth, load untrusted pickle files inside isolated sandbox environments (e.g., gVisor containers, VMs) regardless of scanner results. 4. Audit all CI/CD pipeline scanner version pins and dependency lockfiles and update accordingly. 5. Consider migrating model serialization to safetensors format, which does not support arbitrary code execution by design, eliminating this class of risk entirely. 6. For detection of exploitation, monitor for unexpected child process spawning or outbound network connections from model-loading processes.

Q: What systems are affected by CVE-2025-71361?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries, data science workstations.

Q: What is the CVSS score for CVE-2025-71361?

CVE-2025-71361 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

picklescan before 0.0.29 fails to flag the idlelib.calltip.Calltip.fetch_tip call chain when embedded in pickle files, creating a detection bypass that lets malicious model files pass security scans and execute arbitrary code on load. This is particularly dangerous in AI/ML environments because picklescan is the de facto open-source defense against pickle-based model supply chain attacks — teams relying on it have false confidence in any file scanned before 0.0.29. With only 3 tracked downstream dependents the direct blast radius appears limited on paper, but picklescan is commonly invoked ad-hoc in CI/CD pipelines and model review workflows that don't surface in package dependency graphs, meaning actual exposure is wider than the number suggests. No public exploit or active exploitation has been reported, but the bypass abuses standard library primitives, making it accessible to any motivated attacker who knows the target organization uses picklescan. Upgrade to 0.0.29 immediately and re-scan any pickle files cleared by earlier versions.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk specifically in AI/ML environments because the vulnerability neutralizes a compensating control rather than introducing a new primitive. CVSS 8.1 is accurate: no privileges needed, network-reachable via model-sharing workflows, high confidentiality and integrity impact. The user-interaction requirement (someone must call pickle.load()) dampens automated mass exploitation but does not reduce risk in model-sharing supply chains where loading artifacts is routine and expected. The real danger is targeted attacks where an adversary tailors a payload knowing the target runs picklescan — the bypass makes evasion reliable. Pickle deserialization RCE is a well-understood attack class in ML security; the novelty here is the specific gadget (idlelib.calltip.Calltip.fetch_tip), not the underlying technique.

How does the attack unfold?

Artifact Weaponization

Attacker crafts a pickle file embedding a malicious idlelib.calltip.Calltip.fetch_tip call chain that executes arbitrary OS commands upon deserialization.

AML.T0011.000

Scanner Evasion

The malicious pickle file is submitted to picklescan (< 0.0.29), which fails to flag the specific call chain, returning a clean result and generating false assurance.

AML.T0074

Supply Chain Distribution

The scanner-approved file is placed in a model registry or shared storage, where the target retrieves and trusts it based on the clean scan result.

AML.T0010.001

Remote Code Execution

Victim calls pickle.load() on the approved file, triggering the embedded payload and granting the attacker code execution at the privilege level of the loading process.

AML.T0018.002

Artifact Weaponization

Attacker crafts a pickle file embedding a malicious idlelib.calltip.Calltip.fetch_tip call chain that executes arbitrary OS commands upon deserialization.

AML.T0011.000

Scanner Evasion

The malicious pickle file is submitted to picklescan (< 0.0.29), which fails to flag the specific call chain, returning a clean result and generating false assurance.

AML.T0074

Supply Chain Distribution

The scanner-approved file is placed in a model registry or shared storage, where the target retrieves and trusts it based on the clean scan result.

AML.T0010.001

Remote Code Execution

Victim calls pickle.load() on the approved file, triggering the embedded payload and granting the attacker code execution at the privilege level of the loading process.

AML.T0018.002

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 68% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade picklescan to 0.0.29 or later immediately — this is the primary fix addressing the idlelib.calltip.Calltip.fetch_tip bypass.
Re-scan all pickle files previously cleared by versions before 0.0.29, prioritizing files received from external sources or shared via model registries.
As defense-in-depth, load untrusted pickle files inside isolated sandbox environments (e.g., gVisor containers, VMs) regardless of scanner results.
Audit all CI/CD pipeline scanner version pins and dependency lockfiles and update accordingly.
Consider migrating model serialization to safetensors format, which does not support arbitrary code execution by design, eliminating this class of risk entirely.
For detection of exploitation, monitor for unexpected child process spawning or outbound network connections from model-loading processes.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0074 - Masquerading

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

8.4 - AI system lifecycle — supply chain risk management

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI risk treatments

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2025-71361?

picklescan before 0.0.29 fails to flag the idlelib.calltip.Calltip.fetch_tip call chain when embedded in pickle files, creating a detection bypass that lets malicious model files pass security scans and execute arbitrary code on load. This is particularly dangerous in AI/ML environments because picklescan is the de facto open-source defense against pickle-based model supply chain attacks — teams relying on it have false confidence in any file scanned before 0.0.29. With only 3 tracked downstream dependents the direct blast radius appears limited on paper, but picklescan is commonly invoked ad-hoc in CI/CD pipelines and model review workflows that don't surface in package dependency graphs, meaning actual exposure is wider than the number suggests. No public exploit or active exploitation has been reported, but the bypass abuses standard library primitives, making it accessible to any motivated attacker who knows the target organization uses picklescan. Upgrade to 0.0.29 immediately and re-scan any pickle files cleared by earlier versions.

Is CVE-2025-71361 actively exploited?

No confirmed active exploitation of CVE-2025-71361 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71361?

1. Upgrade picklescan to 0.0.29 or later immediately — this is the primary fix addressing the idlelib.calltip.Calltip.fetch_tip bypass. 2. Re-scan all pickle files previously cleared by versions before 0.0.29, prioritizing files received from external sources or shared via model registries. 3. As defense-in-depth, load untrusted pickle files inside isolated sandbox environments (e.g., gVisor containers, VMs) regardless of scanner results. 4. Audit all CI/CD pipeline scanner version pins and dependency lockfiles and update accordingly. 5. Consider migrating model serialization to safetensors format, which does not support arbitrary code execution by design, eliminating this class of risk entirely. 6. For detection of exploitation, monitor for unexpected child process spawning or outbound network connections from model-loading processes.

What systems are affected by CVE-2025-71361?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps CI/CD pipelines, model registries, data science workstations.

What is the CVSS score for CVE-2025-71361?

CVE-2025-71361 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps CI/CD pipelinesmodel registriesdata science workstations

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0074 Masquerading

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().

Exploitation Scenario

An attacker targeting an ML engineering team that uses picklescan as their model security gate uploads a trojanized model checkpoint to an internal model registry or sends it via a trusted sharing channel (Slack, S3 bucket, email). The pickle file contains a payload using idlelib.calltip.Calltip.fetch_tip to spawn a reverse shell. When the team runs picklescan (< 0.0.29) as part of their model review process, it reports clean — the team proceeds with confidence. A data scientist or MLOps engineer loads the model via pickle.load() on their workstation or inference server, triggering execution. The attacker gains RCE with the process's credentials, enabling lateral movement to training data stores, model artifact repositories, or cloud infrastructure with the service account's permissions.

Weaknesses (CWE)

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Primary CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-95 — Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

[Architecture and Design, Implementation] If possible, refactor your code so that it does not need to use eval() at all.
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis

Source: MITRE CWE corpus.