CVE-2025-71378 | picklescan before 0.0.30 fails to detect cProfile.runctx fun… | CVSS 8.1 HIGH

Description

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().

Metadata

CVE ID: CVE-2025-71378
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 13:11 UTC
Published: 2026-06-21 13:26 UTC
Last updated: 2026-06-21 13:26 UTC
Primary CWE: CWE-502
Deserialization of Untrusted Data
Vendor / Product: picklescan / picklescan
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
picklescan	picklescan	—	0 < 0.0.30, 0.0.30

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	Deserialization of Untrusted Data

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (2)

GHSA Advisory GHSA-9w88-8rmg-7g2p https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p
VulnCheck Advisory: picklescan - Remote Code Execution via Undetected cProfile.runctx in Pickle Files https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-cprofile-runctx-in-pickle-files