CVE-2025-71341 | picklescan before 0.0.29 fails to detect the profile.Profile… | CVSS 8.1 HIGH

Description

picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution when the pickle file is loaded.

Metadata

CVE ID: CVE-2025-71341
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 01:48 UTC
Published: 2026-06-23 12:12 UTC
Last updated: 2026-06-23 13:56 UTC
Primary CWE: CWE-502
Deserialization of Untrusted Data
Vendor / Product: picklescan / picklescan
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
picklescan	picklescan	—	0 < 0.0.29, 0.0.29

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	Deserialization of Untrusted Data

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (2)

GitHub Security Advisory (GHSA-6vqj-c2q5-j97w) https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6vqj-c2q5-j97w
VulnCheck Advisory: picklescan - Remote Code Execution via Undetected profile.Profile.runctx https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-profile-profile-runctx