CVE-2025-71376: picklescan scanner bypass enables

Q: Is CVE-2025-71376 actively exploited?

No confirmed active exploitation of CVE-2025-71376 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-71376?

1. Upgrade picklescan to 0.0.29 or later immediately—this is the only direct fix. 2. Quarantine all pickle files previously approved by picklescan < 0.0.29 and re-scan with the patched version before loading. 3. Adopt safetensors as the default serialization format for model weights wherever possible—safetensors is inherently safe from deserialization attacks and should be preferred over pickle in all new workflows. 4. Where pickle is unavoidable, load files in an isolated sandbox (Docker container or VM) with no outbound network access, restricted filesystem mounts, and minimal process privileges. 5. Add runtime monitoring for unexpected subprocess spawning or outbound connections triggered during model load operations. 6. Audit shared model repositories and artifact stores for pickle files sourced externally.

Q: What systems are affected by CVE-2025-71376?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML artifact distribution, Jupyter notebook environments, CI/CD model validation pipelines.

Q: What is the CVSS score for CVE-2025-71376?

CVE-2025-71376 has a CVSS v3.1 base score of 8.1 (HIGH).

CISO Take

picklescan before 0.0.29 contains a detection gap that allows attackers to craft malicious pickle files using the `idlelib.autocomplete.AutoComplete.fetch_completions` reduce method, completely evading the scanner and enabling arbitrary code execution when the file is loaded. This is a compounded risk: organizations using picklescan as their primary security gate before loading ML models or datasets now operate under false assurance—the scanner approves files that will execute attacker-controlled code at load time. While no public exploit or KEV listing exists yet, the bypass technique is fully documented in the GHSA advisory and requires only moderate Python knowledge to reproduce. Patch to picklescan 0.0.29 immediately, re-scan all pickle files previously cleared by older versions, and evaluate migrating to safetensors as the default serialization format.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for any organization using picklescan as a mandatory security gate in ML artifact workflows. The vulnerability is a scanner evasion (CWE-502), not a flaw in pickle itself—meaning the danger is amplified by misplaced organizational trust in a tool now confirmed bypassable. CVSS 8.1 reflects network delivery, low complexity, and high confidentiality plus integrity impact. User interaction is required but loading a model is normal operational behavior in ML pipelines, not a meaningful barrier. No KEV listing or known weaponized exploit slightly reduces immediate urgency, but the advisory provides enough technical detail for motivated attackers to reproduce the bypass.

How does the attack unfold?

Craft malicious artifact

Attacker creates a pickle file that embeds arbitrary code execution via the idlelib.autocomplete.AutoComplete.fetch_completions reduce method, a technique specifically chosen to evade picklescan's detection signatures.

AML.T0018.002

Distribute via supply chain

Attacker publishes the malicious pickle file to a public model hub, shared artifact store, or injects it into an upstream model dependency used by the target organization.

AML.T0010.001

Evade security scanning

Target organization's pipeline runs picklescan < 0.0.29 against the file; the scanner returns clean and the file receives a false approval to proceed into the environment.

AML.T0107

Arbitrary code execution

Victim loads the approved pickle file into their ML environment; the embedded payload executes with full process privileges enabling data exfiltration, credential theft, or persistent backdoor access.

AML.T0011.000

Craft malicious artifact

Attacker creates a pickle file that embeds arbitrary code execution via the idlelib.autocomplete.AutoComplete.fetch_completions reduce method, a technique specifically chosen to evade picklescan's detection signatures.

AML.T0018.002

Distribute via supply chain

Attacker publishes the malicious pickle file to a public model hub, shared artifact store, or injects it into an upstream model dependency used by the target organization.

AML.T0010.001

Evade security scanning

Target organization's pipeline runs picklescan < 0.0.29 against the file; the scanner returns clean and the file receives a false approval to proceed into the environment.

AML.T0107

Arbitrary code execution

Victim loads the approved pickle file into their ML environment; the embedded payload executes with full process privileges enabling data exfiltration, credential theft, or persistent backdoor access.

AML.T0011.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade picklescan to 0.0.29 or later immediately—this is the only direct fix.
Quarantine all pickle files previously approved by picklescan < 0.0.29 and re-scan with the patched version before loading.
Adopt safetensors as the default serialization format for model weights wherever possible—safetensors is inherently safe from deserialization attacks and should be preferred over pickle in all new workflows.
Where pickle is unavoidable, load files in an isolated sandbox (Docker container or VM) with no outbound network access, restricted filesystem mounts, and minimal process privileges.
Add runtime monitoring for unexpected subprocess spawning or outbound connections triggered during model load operations.
Audit shared model repositories and artifact stores for pickle files sourced externally.

How is it classified?

Supply Chain Code Execution Model Training Data Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - AI system supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-71376?

picklescan before 0.0.29 contains a detection gap that allows attackers to craft malicious pickle files using the `idlelib.autocomplete.AutoComplete.fetch_completions` reduce method, completely evading the scanner and enabling arbitrary code execution when the file is loaded. This is a compounded risk: organizations using picklescan as their primary security gate before loading ML models or datasets now operate under false assurance—the scanner approves files that will execute attacker-controlled code at load time. While no public exploit or KEV listing exists yet, the bypass technique is fully documented in the GHSA advisory and requires only moderate Python knowledge to reproduce. Patch to picklescan 0.0.29 immediately, re-scan all pickle files previously cleared by older versions, and evaluate migrating to safetensors as the default serialization format.

Is CVE-2025-71376 actively exploited?

No confirmed active exploitation of CVE-2025-71376 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71376?

1. Upgrade picklescan to 0.0.29 or later immediately—this is the only direct fix. 2. Quarantine all pickle files previously approved by picklescan < 0.0.29 and re-scan with the patched version before loading. 3. Adopt safetensors as the default serialization format for model weights wherever possible—safetensors is inherently safe from deserialization attacks and should be preferred over pickle in all new workflows. 4. Where pickle is unavoidable, load files in an isolated sandbox (Docker container or VM) with no outbound network access, restricted filesystem mounts, and minimal process privileges. 5. Add runtime monitoring for unexpected subprocess spawning or outbound connections triggered during model load operations. 6. Audit shared model repositories and artifact stores for pickle files sourced externally.

What systems are affected by CVE-2025-71376?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML artifact distribution, Jupyter notebook environments, CI/CD model validation pipelines.

What is the CVSS score for CVE-2025-71376?

CVE-2025-71376 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML artifact distributionJupyter notebook environmentsCI/CD model validation pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims.

Exploitation Scenario

An attacker targeting an ML engineering team publishes a seemingly useful fine-tuned model on a public repository (e.g., Hugging Face, GitHub, internal artifact store) in pickle format. The victim organization's CI/CD pipeline runs picklescan as a required security gate before promoting models to staging—an attacker-aware adversary has crafted the file using the `idlelib.autocomplete.AutoComplete.fetch_completions` reduce method specifically because it bypasses picklescan's detection logic. The scanner reports the file as clean, the pipeline promotes it, and a data scientist or automated training job loads it. Upon deserialization, the embedded payload executes—establishing a reverse shell, exfiltrating model weights and training data, or harvesting cloud API keys and database credentials present in the environment.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.