CVE-2025-71370: picklescan scanner bypass enables

Q: Is CVE-2025-71370 actively exploited?

No confirmed active exploitation of CVE-2025-71370 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-71370?

1. Upgrade picklescan to 0.0.28 or later — this is the only complete remediation. 2. Re-scan all model files previously cleared by a vulnerable picklescan version; treat any file that was loaded before patching as untrusted until re-verified. 3. Migrate externally-sourced models to safe serialization formats (safetensors, ONNX) as defense-in-depth — these formats do not support arbitrary code execution by design. 4. Restrict outbound network connectivity from model-loading processes to limit RCE blast radius until patching is complete. 5. Sandbox model loading in isolated environments with syscall monitoring (seccomp, gVisor) as a compensating control. 6. Detection: monitor for unexpected process spawning from Python pickle.load() contexts and alert on torch.jit.unsupported_tensor_ops references in model files at ingestion time.

Q: What systems are affected by CVE-2025-71370?

This vulnerability affects the following AI/ML architecture patterns: model registries, training pipelines, model serving, MLOps CI/CD pipelines, collaborative notebook environments.

Q: What is the CVSS score for CVE-2025-71370?

CVE-2025-71370 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

picklescan, the de facto open-source security gate for detecting malicious pickle-format ML model files, fails to recognize payloads using PyTorch's torch.jit.unsupported_tensor_ops.execWrapper function in versions prior to 0.0.28 — meaning files it clears can still execute arbitrary code when deserialized with pickle.load(). The vulnerability is particularly damaging because it converts a trusted security control into false assurance: any pipeline that scans with picklescan and then loads the result is now operating without the protection it believes it has, and the low attack complexity with no required privileges makes this accessible to a broad range of threat actors. EPSS data is not yet available and there is no confirmed in-the-wild exploitation, but the delivery vector — model files shared via registries, Hugging Face Hub, or internal repositories — is a routine and high-frequency operation in ML teams. Upgrade to picklescan 0.0.28 immediately, re-scan previously cleared model files with the patched version, and treat any externally-sourced pickle file loaded while running a vulnerable picklescan version as potentially compromised.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk specifically for organizations that use picklescan as their primary or sole defense against malicious pickle deserialization. The CVSS 8.1 reflects low attack complexity, no required privileges, and high confidentiality and integrity impact. The most dangerous aspect is trust inversion: teams that adopted picklescan to safely enable loading of external model files are now more exposed than teams that never deployed it, because they may have lowered other controls. The blast radius scales with how broadly models are shared — organizations ingesting community models, running model hubs, or operating collaborative ML environments face the highest risk. Teams using safetensors or ONNX exclusively have negligible exposure.

How does the attack unfold?

Craft malicious pickle

Adversary creates a .pt/.pkl file embedding arbitrary code via torch.jit.unsupported_tensor_ops.execWrapper, a function call pattern outside picklescan's detection rules.

AML.T0018.002

Bypass security scan

The malicious file is submitted to a picklescan-protected ingestion pipeline (model registry, CI/CD gate, or upload endpoint); picklescan < 0.0.28 reports the file as clean.

AML.T0107

Victim loads model

A user or automated pipeline executes pickle.load() on the scanner-approved file, trusting the security gate's verdict without additional validation.

AML.T0011.000

Arbitrary code execution

The embedded payload executes with the privileges of the loading process, enabling credential theft, data exfiltration, or lateral movement within ML infrastructure.

AML.T0072

Craft malicious pickle

Adversary creates a .pt/.pkl file embedding arbitrary code via torch.jit.unsupported_tensor_ops.execWrapper, a function call pattern outside picklescan's detection rules.

AML.T0018.002

Bypass security scan

The malicious file is submitted to a picklescan-protected ingestion pipeline (model registry, CI/CD gate, or upload endpoint); picklescan < 0.0.28 reports the file as clean.

AML.T0107

Victim loads model

A user or automated pipeline executes pickle.load() on the scanner-approved file, trusting the security gate's verdict without additional validation.

AML.T0011.000

Arbitrary code execution

The embedded payload executes with the privileges of the loading process, enabling credential theft, data exfiltration, or lateral movement within ML infrastructure.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade picklescan to 0.0.28 or later — this is the only complete remediation.
Re-scan all model files previously cleared by a vulnerable picklescan version; treat any file that was loaded before patching as untrusted until re-verified.
Migrate externally-sourced models to safe serialization formats (safetensors, ONNX) as defense-in-depth — these formats do not support arbitrary code execution by design.
Restrict outbound network connectivity from model-loading processes to limit RCE blast radius until patching is complete.
Sandbox model loading in isolated environments with syscall monitoring (seccomp, gVisor) as a compensating control.
Detection: monitor for unexpected process spawning from Python pickle.load() contexts and alert on torch.jit.unsupported_tensor_ops references in model files at ingestion time.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI system supply chain management

NIST AI RMF

MANAGE 2.2 - Third-party and AI supply chain risk treatment

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2025-71370?

picklescan, the de facto open-source security gate for detecting malicious pickle-format ML model files, fails to recognize payloads using PyTorch's torch.jit.unsupported_tensor_ops.execWrapper function in versions prior to 0.0.28 — meaning files it clears can still execute arbitrary code when deserialized with pickle.load(). The vulnerability is particularly damaging because it converts a trusted security control into false assurance: any pipeline that scans with picklescan and then loads the result is now operating without the protection it believes it has, and the low attack complexity with no required privileges makes this accessible to a broad range of threat actors. EPSS data is not yet available and there is no confirmed in-the-wild exploitation, but the delivery vector — model files shared via registries, Hugging Face Hub, or internal repositories — is a routine and high-frequency operation in ML teams. Upgrade to picklescan 0.0.28 immediately, re-scan previously cleared model files with the patched version, and treat any externally-sourced pickle file loaded while running a vulnerable picklescan version as potentially compromised.

Is CVE-2025-71370 actively exploited?

No confirmed active exploitation of CVE-2025-71370 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71370?

1. Upgrade picklescan to 0.0.28 or later — this is the only complete remediation. 2. Re-scan all model files previously cleared by a vulnerable picklescan version; treat any file that was loaded before patching as untrusted until re-verified. 3. Migrate externally-sourced models to safe serialization formats (safetensors, ONNX) as defense-in-depth — these formats do not support arbitrary code execution by design. 4. Restrict outbound network connectivity from model-loading processes to limit RCE blast radius until patching is complete. 5. Sandbox model loading in isolated environments with syscall monitoring (seccomp, gVisor) as a compensating control. 6. Detection: monitor for unexpected process spawning from Python pickle.load() contexts and alert on torch.jit.unsupported_tensor_ops references in model files at ingestion time.

What systems are affected by CVE-2025-71370?

This vulnerability affects the following AI/ML architecture patterns: model registries, training pipelines, model serving, MLOps CI/CD pipelines, collaborative notebook environments.

What is the CVSS score for CVE-2025-71370?

CVE-2025-71370 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

model registriestraining pipelinesmodel servingMLOps CI/CD pipelinescollaborative notebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0074 Masquerading

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via pickle.load().

Exploitation Scenario

An adversary targets an ML platform that accepts PyTorch model uploads and scans them with picklescan before making them available to other users. The attacker crafts a malicious .pt file embedding a reverse shell payload inside a torch.jit.unsupported_tensor_ops.execWrapper call — a function call pattern not covered by picklescan's detection signatures. The file passes the picklescan gate and is marked safe. When a downstream data scientist or an automated inference pipeline loads the model via pickle.load(), the execWrapper payload executes in that process context, establishing a reverse shell from the inference server. From there, the adversary exfiltrates API keys stored in environment variables, proprietary model weights, or training datasets, and pivots to internal infrastructure through the ML environment's existing network access.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.