CVE-2025-71347: picklescan - Undetected Remote Code Execution via numpy.f2py.crackfortran.param_eval
picklescan before 0.0.33 fails to detect malicious pickle files using numpy.f2py.crackfortran.param_eval function in reduce methods, allowing attackers to bypass security checks. Remote attackers can embed undetected code in pickle files that executes during deserialization, enabling arbitrary code execution in applications loading untrusted pickle data.
Security readout for executives and security teams
Plain-English summary
CVE-2025-71347 is a bypass in picklescan before 0.0.33. A malicious pickle file can pass scanning and still execute code when an application later deserializes it. The business risk is highest where external pickle-based ML artifacts or data files are accepted and trusted after scanning.
Executive priority
Prioritize remediation where picklescan gates externally supplied ML or data artifacts. The vulnerability can turn a failed security check into code execution during later processing, but current provided sources do not show active exploitation.
Technical view
picklescan failed to detect dangerous use of numpy.f2py.crackfortran.param_eval in pickle reduce methods. This maps to CWE-502: unsafe deserialization. The provided CVSS is 8.1, network exploitable with low attack complexity, no privileges required, and user interaction required.
Likely exposure
Exposure is likely limited to environments using picklescan before 0.0.33 to inspect untrusted pickle files before loading them. ML platforms, model registries, data science workflows, and automated artifact ingestion pipelines are plausible exposure points if they deserialize scanned pickle content.
Exploitation context
The source bundle does not cite active exploitation and KEV status is false. Exploitation depends on getting a target workflow to process a malicious pickle file that bypasses picklescan and is later deserialized by an application.
Researcher notes
Focus validation on deserialization trust boundaries, not only package presence. The affected behavior involves missed detection of a specific callable pattern in reduce methods. Do not assume all pickle defenses are bypassed; confirm whether picklescan is in the enforcement path.
Mitigation direction
Upgrade picklescan to version 0.0.33 or later.
Avoid deserializing pickle files from untrusted or unauthenticated sources.
Treat scanner approval as insufficient for pickle safety.
Review vendor advisory guidance for any additional fixed-version details.
Restrict artifact ingestion paths that accept pickle-based files.
Validation and detection
Inventory systems and pipelines using picklescan.
Confirm deployed picklescan versions are 0.0.33 or later.
Identify workflows that deserialize pickle files after scanning.
Review ingestion logs for externally supplied pickle artifacts.
Check dependency manifests, container images, and CI environments.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.