PatchSiren cyber security CVE debrief
CVE-2025-71343 picklescan CVE debrief
CVE-2025-71343 is a HIGH severity vulnerability in picklescan before 0.0.30. The vulnerability allows attackers to craft malicious pickle files with embedded code that evades detection but executes arbitrary commands when pickle.load() is called. This is due to a failure in detecting malicious pickle files that exploit the lib2to3.pgen2.pgen.ParserGenerator.make_label function in the reduce method. The vulnerability has a CVSS score of 7.6 and is considered HIGH severity. The CVE record was published on 2026-07-04T02:16:21.527Z and has not been modified since. The vendor and product information is not available, but the canonical source is listed as reference_domain_weak with low confidence.
- Vendor
- picklescan
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-04
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-04
- Advisory updated
- 2026-07-04
Who should care
Organizations using picklescan before version 0.0.30 should be aware of this vulnerability and take necessary steps to mitigate it. Attackers can exploit this vulnerability to execute arbitrary commands, which can lead to a compromise of the system. Users of picklescan should check their inventory and update to version 0.0.30 or later to prevent exploitation.
Technical summary
The vulnerability in picklescan before 0.0.30 is caused by a failure to detect malicious pickle files that exploit the lib2to3.pgen2.pgen.ParserGenerator.make_label function in the reduce method. This allows attackers to craft malicious pickle files with embedded code that evades detection but executes arbitrary commands when pickle.load() is called. The vulnerability has a CVSS score of 7.6 and is considered HIGH severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
This vulnerability has a HIGH severity and a CVSS score of 7.6, indicating a significant risk to organizations using picklescan before version 0.0.30. Immediate attention is required to mitigate this vulnerability and prevent exploitation.
Recommended defensive actions
- Update picklescan to version 0.0.30 or later
- Check inventory for affected versions
- Monitor for suspicious pickle files
- Implement compensating controls to detect and prevent exploitation
- Track exceptions and anomalies in pickle file processing
Evidence notes
The CVE record was published on 2026-07-04T02:16:21.527Z and has not been modified since. The vendor and product information is not available, but the canonical source is listed as reference_domain_weak with low confidence. The vulnerability has a CVSS score of 7.6 and is considered HIGH severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Official resources
This article is AI-assisted and based on the supplied source corpus.