PatchSiren cyber security CVE debrief
CVE-2025-71365 picklescan CVE debrief
CVE-2025-71365 is a high-severity vulnerability in picklescan that allows attackers to bypass detection of malicious pickle files, leading to arbitrary code execution. The vulnerability exists in picklescan versions before 0.0.33 and is caused by the library's failure to detect malicious pickle files that invoke the numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded. The vulnerability has a CVSS score of 7.6 and is classified as HIGH severity. The CVE record was published on June 23, 2026, and last modified on June 23, 2026.
- Vendor
- picklescan
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
Developers and users of picklescan library, especially those using versions before 0.0.33, should be aware of this vulnerability and take necessary actions to mitigate the risk. The vulnerability can be exploited remotely, and the impact can be significant, making it essential for affected users to update to a patched version as soon as possible. Additionally, users of numpy library may also be affected if used in conjunction with picklescan.
Technical summary
The vulnerability in picklescan library allows attackers to craft malicious pickle files that can bypass detection and execute arbitrary code when loaded. The issue arises from the library's failure to detect malicious pickle files that invoke the numpy.f2py.crackfortran.myeval function through the reduce method. This vulnerability can be exploited remotely, and the impact can be significant. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
High priority should be given to updating picklescan library to version 0.0.33 or later. Additionally, users should be cautious when loading pickle files from untrusted sources and consider implementing additional security measures to mitigate the risk.
Recommended defensive actions
- Update picklescan library to version 0.0.33 or later
- Be cautious when loading pickle files from untrusted sources
- Implement additional security measures to mitigate the risk
- Monitor for suspicious activity related to pickle files
- Consider using alternative libraries or data formats
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its impact, and the affected versions of picklescan library. The source item URL provides additional information on the vulnerability and its exploitation. The references provided in the source item metadata offer further details on the vulnerability and potential mitigations.
Official resources
This article is AI-assisted and based on the supplied source corpus.