CVE-2025-71378: picklescan detection bypass enables

CISO Take

picklescan before 0.0.30 fails to detect cProfile.runctx calls embedded in pickle reduce methods, meaning malicious model files pass security scanning and silently execute arbitrary code when loaded. This is a security control bypass — any organization using picklescan as the primary gate for validating AI model files (PyTorch checkpoints, sklearn pipelines, etc.) is completely unprotected against this evasion technique. With CVSS 8.1, low attack complexity, and no privileges required, an attacker needs only to know the cProfile.runctx pattern — a detail now publicly documented in the advisory — to weaponize it. Upgrade picklescan to ≥0.0.30 immediately and layer defenses with safetensors format or fickling as a secondary scanner for any models imported from external sources.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High risk for organizations that treat picklescan as their sole model-validation control. The bypass undermines a security gate rather than a product feature, meaning its blast radius scales directly with how broadly picklescan's 'clean' verdict is trusted across ML pipelines. Attack complexity is low once the evasion pattern is known — the advisory and linked VulnCheck writeup describe the mechanism clearly enough to enable straightforward weaponization. No public exploit exists yet, but the disclosure window between advisory publication and exploit availability is typically short for well-documented scanner bypasses. The 73 prior CVEs in this package signal structural fragility in its detection engine. EPSS data is unavailable, but the combination of public documentation, low AC, and high impact warrants treating this as actively dangerous rather than waiting for KEV confirmation.

How does the attack unfold?

Craft Malicious Artifact

Attacker creates a pickle file embedding an RCE payload via cProfile.runctx in its reduce methods, specifically chosen to fall outside picklescan's detection patterns.

AML.T0011.000

Defense Evasion

Victim runs picklescan ≤0.0.29 on the malicious file; the scanner returns a clean verdict because it does not inspect cProfile.runctx call patterns in reduce methods.

AML.T0107

Model Distribution

Attacker distributes the scanner-validated malicious model via a model hub, shared storage bucket, or direct transfer, leveraging the false-clean verdict to build trust and bypass manual review.

AML.T0010.001

Code Execution

Victim loads the model file with pickle.load() or an equivalent call (e.g., torch.load()), triggering the embedded payload and granting the attacker arbitrary code execution with the process's privileges.

AML.T0112.001

Craft Malicious Artifact

Attacker creates a pickle file embedding an RCE payload via cProfile.runctx in its reduce methods, specifically chosen to fall outside picklescan's detection patterns.

AML.T0011.000

Defense Evasion

Victim runs picklescan ≤0.0.29 on the malicious file; the scanner returns a clean verdict because it does not inspect cProfile.runctx call patterns in reduce methods.

AML.T0107

Model Distribution

Attacker distributes the scanner-validated malicious model via a model hub, shared storage bucket, or direct transfer, leveraging the false-clean verdict to build trust and bypass manual review.

AML.T0010.001

Code Execution

Victim loads the model file with pickle.load() or an equivalent call (e.g., torch.load()), triggering the embedded payload and granting the attacker arbitrary code execution with the process's privileges.

AML.T0112.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 77% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

6 steps

Upgrade picklescan to ≥0.0.30 immediately — this is the only complete fix.
Prefer safetensors format for model serialization and distribution; it eliminates arbitrary code execution by design.
Deploy fickling as a defense-in-depth layer alongside picklescan for detection overlap — it uses a different analysis approach.
Sandbox model-loading processes: run in containers with no network egress, read-only filesystem mounts, and dropped capabilities so RCE blast radius is contained even if a malicious file slips through.
Audit logs and model inventories for any pickle files scanned with pre-0.0.30 picklescan versions that were loaded into production or training environments.
Restrict model imports to trusted, hash-verified sources and enforce review before any externally sourced model enters the pipeline.

How is it classified?

Supply Chain Code Execution Model Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.3 - AI risk treatment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management are planned

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-71378?

picklescan before 0.0.30 fails to detect cProfile.runctx calls embedded in pickle reduce methods, meaning malicious model files pass security scanning and silently execute arbitrary code when loaded. This is a security control bypass — any organization using picklescan as the primary gate for validating AI model files (PyTorch checkpoints, sklearn pipelines, etc.) is completely unprotected against this evasion technique. With CVSS 8.1, low attack complexity, and no privileges required, an attacker needs only to know the cProfile.runctx pattern — a detail now publicly documented in the advisory — to weaponize it. Upgrade picklescan to ≥0.0.30 immediately and layer defenses with safetensors format or fickling as a secondary scanner for any models imported from external sources.

Is CVE-2025-71378 actively exploited?

No confirmed active exploitation of CVE-2025-71378 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-71378?

1. Upgrade picklescan to ≥0.0.30 immediately — this is the only complete fix. 2. Prefer safetensors format for model serialization and distribution; it eliminates arbitrary code execution by design. 3. Deploy fickling as a defense-in-depth layer alongside picklescan for detection overlap — it uses a different analysis approach. 4. Sandbox model-loading processes: run in containers with no network egress, read-only filesystem mounts, and dropped capabilities so RCE blast radius is contained even if a malicious file slips through. 5. Audit logs and model inventories for any pickle files scanned with pre-0.0.30 picklescan versions that were loaded into production or training environments. 6. Restrict model imports to trusted, hash-verified sources and enforce review before any externally sourced model enters the pipeline.

What systems are affected by CVE-2025-71378?

This vulnerability affects the following AI/ML architecture patterns: ML training pipelines, Model serving, MLOps pipelines, Model registries, AI/ML development environments.

What is the CVSS score for CVE-2025-71378?

CVE-2025-71378 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

ML training pipelinesModel servingMLOps pipelinesModel registriesAI/ML development environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().

Exploitation Scenario

An attacker targeting an organization that imports pre-trained models from a shared hub crafts a malicious PyTorch checkpoint (.pt) embedding an RCE payload using cProfile.runctx in the pickle reduce method. This call pattern falls outside picklescan's detection coverage prior to 0.0.30. The attacker publishes the file on a model repository, shares it via a 'fine-tuned model' email attachment, or compromises a shared S3 model bucket. An ML engineer pulls the file and runs picklescan as part of the standard model-onboarding checklist — the scan returns clean. The engineer loads the model with torch.load(), triggering the embedded payload, which establishes a reverse shell or exfiltrates credentials and training data from the workstation or inference server with full user-level privileges.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.