PatchSiren cyber security CVE debrief
CVE-2025-71376 picklescan CVE debrief
CVE-2025-71376 is a high-severity vulnerability in the picklescan library before version 0.0.29. The vulnerability allows attackers to embed undetected code in pickle files that executes arbitrary commands when loaded by victims. This is due to the library's failure to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. The vulnerability has a CVSS score of 7.6 and is classified as HIGH. The CVE record was published on June 23, 2026, and last modified on June 23, 2026.
- Vendor
- picklescan
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
Developers and users of the picklescan library before version 0.0.29 should be aware of this vulnerability and take necessary actions to mitigate it. This includes updating to version 0.0.29 or later, and being cautious when loading pickle files from untrusted sources. Additionally, users of applications that utilize the picklescan library should also be aware of this vulnerability and take necessary precautions.
Technical summary
The picklescan library before version 0.0.29 is vulnerable to arbitrary code execution via undetected idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. This allows attackers to embed malicious code in pickle files that can be executed when loaded by victims. The vulnerability is due to the library's failure to properly detect and handle malicious pickle files. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
High priority should be given to updating the picklescan library to version 0.0.29 or later. Additionally, users should be cautious when loading pickle files from untrusted sources and consider implementing additional security measures to mitigate this vulnerability.
Recommended defensive actions
- Update the picklescan library to version 0.0.29 or later.
- Be cautious when loading pickle files from untrusted sources.
- Consider implementing additional security measures to mitigate this vulnerability, such as validating and sanitizing input data.
- Monitor for and respond to potential exploitation attempts.
- Review and update application configurations to ensure secure usage of the picklescan library.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and vector. The source item URL provides additional information on the vulnerability, including references to related advisories and articles. The CVE.org record and NVD detail provide official information on the vulnerability.
Official resources
This article is AI-assisted and based on the supplied source corpus.