CVE-2025-71322 PickleScan CVE debrief

Who should care

Organizations using PickleScan before 0.0.33 should prioritize patching this vulnerability to prevent potential code execution attacks. Security teams and administrators responsible for maintaining PickleScan installations should be aware of this vulnerability and take necessary actions.

Technical summary

The vulnerability exists in PickleScan before 0.0.33, where the pty.spawn function is not included in the unsafe globals list. This allows attackers to craft malicious pickle payloads that can bypass security checks and execute arbitrary code when processed by PickleScan. The vulnerability has a CVSS score of 8.7, indicating a high severity level. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

HIGH

Recommended defensive actions

• Patch PickleScan to version 0.0.33 or later
• Restrict access to PickleScan installations
• Monitor PickleScan logs for suspicious activity
• Implement additional security controls to detect and prevent code execution attacks
• Consider using alternative pickle scanning tools
• Keep PickleScan and its dependencies up-to-date
• Perform regular security audits and vulnerability assessments

Evidence notes

The vulnerability information is based on data from the National Vulnerability Database (NVD) and other reliable sources. The CVSS score and vector are provided by the NVD. The vendor, Unknown Vendor, has not provided a canonical source for this vulnerability.

Official resources