CVE-2025-71365: picklescan detection bypass enables

Q: Is CVE-2025-71365 actively exploited?

No confirmed active exploitation of CVE-2025-71365 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-71365?

1. Upgrade picklescan to ≥ 0.0.33 across all environments — development, CI/CD, and production model-loading hosts — and verify the updated version is invoked (not a cached older binary). 2. Re-scan all model files previously cleared by vulnerable picklescan versions, prioritizing those sourced from public repositories or untrusted third parties. 3. Migrate model serialization to safetensors format where operationally feasible — this eliminates the pickle deserialization attack surface entirely. 4. Sandbox model loading: run torch.load() / pickle.load() calls in isolated containers or VMs with no network egress and minimal filesystem access, so that even successful code execution has bounded blast radius. 5. Audit HuggingFace Hub downloads and other external model sources; treat any model file scanned with picklescan < 0.0.33 as unverified until re-scanned.

Q: What systems are affected by CVE-2025-71365?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML CI/CD pipelines, model repositories.

Q: What is the CVSS score for CVE-2025-71365?

CVE-2025-71365 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

picklescan is a dedicated security scanner used by ML teams to vet pickle-format model files before loading; versions before 0.0.33 fail to flag malicious payloads that route code execution through numpy.f2py.crackfortran.myeval via the pickle reduce protocol, meaning files it marks clean can still execute arbitrary commands on the host. Teams operating CI/CD model-vetting pipelines or manually scanning externally sourced checkpoints from repositories like HuggingFace are running under a false sense of security — the scanner gives a green light while the payload executes on load. With CVSS 8.1, network-accessible attack vector, and no privileges required, the primary friction is user interaction (someone must load the file), making poisoned public model repos a realistic distribution channel; no active KEV listing or EPSS data yet, but low complexity favors opportunistic exploitation as this bypass becomes public knowledge. Upgrade picklescan to 0.0.33 or later immediately, re-scan previously cleared model files from untrusted sources, and layer in safetensors-format adoption and sandboxed model loading as defense-in-depth.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk, driven by the paradox of a security control becoming the gap itself. CVSS 8.1 reflects dual High impact on confidentiality and integrity with network attack vector and low complexity. The practical risk is elevated beyond the base score: organizations that have picklescan in their pipeline may be *more* exposed than those without it, because the scanner's clean verdict suppresses further scrutiny. Any ML team loading models from external sources (public hubs, partner-supplied weights, third-party fine-tunes) without a secondary control is fully exposed until patched.

How does the attack unfold?

Craft Malicious Artifact

Adversary crafts a pickle model file that routes code execution through numpy.f2py.crackfortran.myeval via the reduce method, deliberately selecting a call path absent from picklescan's pre-0.0.33 opcode blocklist.

AML.T0018.002

Distribute via Model Hub

Adversary publishes the malicious checkpoint to a public model repository (e.g., HuggingFace Hub) under a convincing name, making it available for download by targeted ML teams.

AML.T0011.000

Evade Security Scanner

Victim scans the downloaded file with a vulnerable picklescan version (<0.0.33); scanner returns clean result, granting the file implicit trust and bypassing the security gate.

AML.T0107

Arbitrary Code Execution

Victim loads the model with torch.load() or pickle.load(); Python's deserializer invokes the embedded payload via myeval, executing arbitrary commands with the loading process's OS privileges.

AML.T0011

Craft Malicious Artifact

Adversary crafts a pickle model file that routes code execution through numpy.f2py.crackfortran.myeval via the reduce method, deliberately selecting a call path absent from picklescan's pre-0.0.33 opcode blocklist.

AML.T0018.002

Distribute via Model Hub

Adversary publishes the malicious checkpoint to a public model repository (e.g., HuggingFace Hub) under a convincing name, making it available for download by targeted ML teams.

AML.T0011.000

Evade Security Scanner

Victim scans the downloaded file with a vulnerable picklescan version (<0.0.33); scanner returns clean result, granting the file implicit trust and bypassing the security gate.

AML.T0107

Arbitrary Code Execution

Victim loads the model with torch.load() or pickle.load(); Python's deserializer invokes the embedded payload via myeval, executing arbitrary commands with the loading process's OS privileges.

AML.T0011

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

Upgrade picklescan to ≥ 0.0.33 across all environments — development, CI/CD, and production model-loading hosts — and verify the updated version is invoked (not a cached older binary).
Re-scan all model files previously cleared by vulnerable picklescan versions, prioritizing those sourced from public repositories or untrusted third parties.
Migrate model serialization to safetensors format where operationally feasible — this eliminates the pickle deserialization attack surface entirely.
Sandbox model loading: run torch.load() / pickle.load() calls in isolated containers or VMs with no network egress and minimal filesystem access, so that even successful code execution has bounded blast radius.
Audit HuggingFace Hub downloads and other external model sources; treat any model file scanned with picklescan < 0.0.33 as unverified until re-scanned.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to identified risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-71365?

picklescan is a dedicated security scanner used by ML teams to vet pickle-format model files before loading; versions before 0.0.33 fail to flag malicious payloads that route code execution through numpy.f2py.crackfortran.myeval via the pickle reduce protocol, meaning files it marks clean can still execute arbitrary commands on the host. Teams operating CI/CD model-vetting pipelines or manually scanning externally sourced checkpoints from repositories like HuggingFace are running under a false sense of security — the scanner gives a green light while the payload executes on load. With CVSS 8.1, network-accessible attack vector, and no privileges required, the primary friction is user interaction (someone must load the file), making poisoned public model repos a realistic distribution channel; no active KEV listing or EPSS data yet, but low complexity favors opportunistic exploitation as this bypass becomes public knowledge. Upgrade picklescan to 0.0.33 or later immediately, re-scan previously cleared model files from untrusted sources, and layer in safetensors-format adoption and sandboxed model loading as defense-in-depth.

Is CVE-2025-71365 actively exploited?

No confirmed active exploitation of CVE-2025-71365 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71365?

1. Upgrade picklescan to ≥ 0.0.33 across all environments — development, CI/CD, and production model-loading hosts — and verify the updated version is invoked (not a cached older binary). 2. Re-scan all model files previously cleared by vulnerable picklescan versions, prioritizing those sourced from public repositories or untrusted third parties. 3. Migrate model serialization to safetensors format where operationally feasible — this eliminates the pickle deserialization attack surface entirely. 4. Sandbox model loading: run torch.load() / pickle.load() calls in isolated containers or VMs with no network egress and minimal filesystem access, so that even successful code execution has bounded blast radius. 5. Audit HuggingFace Hub downloads and other external model sources; treat any model file scanned with picklescan < 0.0.33 as unverified until re-scanned.

What systems are affected by CVE-2025-71365?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML CI/CD pipelines, model repositories.

What is the CVSS score for CVE-2025-71365?

CVE-2025-71365 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML CI/CD pipelinesmodel repositories

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded.

Exploitation Scenario

An adversary crafts a PyTorch model checkpoint (.pt file) that embeds a reverse shell payload using numpy.f2py.crackfortran.myeval routed through pickle's __reduce__ protocol — a call path not covered by picklescan's pre-0.0.33 opcode allowlist. The file is uploaded to a public HuggingFace repository under a convincing model name (e.g., a fine-tuned LLaMA variant). A victim ML engineer discovers the model, downloads it, and runs picklescan as part of their standard vetting workflow; the scanner reports no issues. The engineer loads the model with torch.load() on their GPU workstation. During deserialization, myeval executes the embedded payload, spawning a reverse shell to attacker infrastructure with the engineer's OS privileges — granting access to training data, API keys stored in the environment, and potentially the broader corporate network.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.