CVE-2025-71351 | picklescan before 0.0.25 fails to detect malicious pickle fi… | CVSS 7.6 HIGH

Description

picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.

Metadata

CVE ID: CVE-2025-71351
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:48 UTC
Published: 2026-06-21 13:26 UTC
Last updated: 2026-06-21 13:26 UTC
Primary CWE: CWE-184
Incomplete List of Disallowed Inputs
Vendor / Product: picklescan / picklescan
Sources: cve.org · NVD

Severity & Metrics

7.6 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
picklescan	picklescan	—	0 < 0.0.25, 0.0.25

Weakness (CWE)

CWE	Source	Description
CWE-184	cna	Incomplete List of Disallowed Inputs

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (2)

GHSA Advisory GHSA-v7x6-rv5q-mhwc https://github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwc
VulnCheck Advisory: picklescan - Remote Code Execution via timeit.timeit() Detection Bypass https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-timeit-timeit-detection-bypass