CVE-2025-71345: picklescan - Arbitrary Code Execution via torch.utils.bottleneck.__main__.run_autograd_prof
picklescan before 0.0.30 fails to detect malicious pickle files that invoke torch.utils.bottleneck.__main__.run_autograd_prof function. Attackers can embed undetected code in pickle files that executes during deserialization, enabling remote code execution.
Security readout for executives and security teams
Plain-English summary
CVE-2025-71345 is a high-severity flaw in picklescan before 0.0.30. Malicious pickle files can evade detection and execute code when later deserialized. The main business risk is misplaced trust in a scanner inside ML, data, or automation workflows that handle untrusted pickle files.
Executive priority
Prioritize remediation where picklescan protects production ML, data ingestion, or customer-supplied file workflows. The issue is not reported as actively exploited, but the impact can include code execution after a scanning bypass.
Technical view
picklescan fails to flag pickle payloads invoking torch.utils.bottleneck.__main__.run_autograd_prof. Because Python pickle deserialization can execute embedded behavior, bypassing detection can lead to code execution when downstream systems deserialize the file. The CVSS 3.1 score is 8.1, with user interaction required.
Likely exposure
Exposure is most likely where picklescan is used to screen pickle files from users, partners, datasets, model pipelines, or automation before deserialization.
Exploitation context
The provided sources do not show CISA KEV listing or active exploitation. Exploitation still depends on a victim workflow accepting a malicious pickle file and deserializing it after picklescan misses it.
Researcher notes
This is a CWE-502 deserialization-adjacent scanner bypass. The issue is the missed detection of a dangerous callable path, not a new safe way to deserialize pickle. Evidence in the provided bundle does not establish exploitation in the wild.
Mitigation direction
Upgrade picklescan to a fixed version; sources identify the issue as affecting versions before 0.0.30.
Do not deserialize pickle files from untrusted or weakly trusted sources.
Add isolation around workflows that inspect or process pickle files.
Review vendor guidance for any additional detection or regression recommendations.
Prefer safer serialization formats where business workflows allow it.
Validation and detection
Inventory systems and pipelines that use picklescan.
Confirm deployed picklescan versions and flag versions before 0.0.30.
Identify workflows that treat picklescan results as approval to deserialize pickle files.
Review recent pickle ingestion sources and trust boundaries.
Check vendor advisory updates for changed affected-version or fix details.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.