CVE-2025-71322 | PickleScan before 0.0.33 fails to include the pty.spawn func… | CVSS 8.8 HIGH

Description

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.

Metadata

CVE ID: CVE-2025-71322
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-08 20:44 UTC
Published: 2026-06-17 15:04 UTC
Last updated: 2026-06-17 15:04 UTC
Primary CWE: CWE-693
Protection Mechanism Failure
Vendor / Product: PickleScan / PickleScan
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
PickleScan	PickleScan	—	0 < 0.0.33, 0.0.33

Weakness (CWE)

CWE	Source	Description
CWE-693	cna	Protection Mechanism Failure

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

GHSA Advisory GHSA-hgrh-qx5j-jfwx https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx
VulnCheck Advisory: PickleScan - Unsafe Globals Check Bypass via pty.spawn Function https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function