PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71353 picklescan CVE debrief

CVE-2025-71353 is a high-severity vulnerability in picklescan before version 0.0.28. The vulnerability allows attackers to craft malicious pickle files that evade detection by picklescan and execute arbitrary commands when loaded. The vulnerability is caused by picklescan's failure to detect malicious pickle files that exploit the torch._dynamo.guards.GuardBuilder.get function in reduce methods. This vulnerability has a CVSS score of 7.6 and is classified as HIGH severity. The CVE was published on July 4, 2026.

Vendor
picklescan
Product
Unknown
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-04
Original CVE updated
2026-07-04
Advisory published
2026-07-04
Advisory updated
2026-07-04

Who should care

Developers and users of picklescan before version 0.0.28 should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.0.28 or later, and being cautious when loading pickle files from untrusted sources. Additionally, users of torch._dynamo.guards.GuardBuilder should be aware of the potential for malicious pickle files to evade detection.

Technical summary

The vulnerability in picklescan before version 0.0.28 allows attackers to craft malicious pickle files that exploit the torch._dynamo.guards.GuardBuilder.get function in reduce methods. This function is used to detect malicious pickle files, but it can be evaded by attackers who craft pickle files with embedded code. When loaded, these pickle files can execute arbitrary commands. The vulnerability has a CVSS score of 7.6 and is classified as HIGH severity.

Defensive priority

High priority should be given to updating picklescan to version 0.0.28 or later. Additionally, users should be cautious when loading pickle files from untrusted sources and consider implementing additional security measures to detect and prevent malicious pickle files.

Recommended defensive actions

  • Update picklescan to version 0.0.28 or later
  • Be cautious when loading pickle files from untrusted sources
  • Implement additional security measures to detect and prevent malicious pickle files
  • Monitor for suspicious activity related to pickle files
  • Consider implementing compensating controls to detect and prevent malicious pickle files

Evidence notes

The evidence for this vulnerability comes from the CVE record and the NVD detail page. The CVE record provides information on the vulnerability, including its CVSS score and severity. The NVD detail page provides additional information on the vulnerability, including its description and references.

Official resources

This article is AI-assisted and based on the supplied source corpus.