CVE-2025-71349: picklescan - Arbitrary Code Execution via Undetected trace.Trace.run in Pickle Files
picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using trace.Trace.run in the reduce method to achieve arbitrary code execution when pickle.load processes the file.
Security readout for executives and security teams
Plain-English summary
picklescan can miss a dangerous Python pickle pattern. If an organization relies on affected picklescan versions to approve untrusted pickle files, a malicious file may pass scanning and later execute attacker-controlled code when loaded by Python.
Executive priority
Prioritize remediation where pickle files enter automated pipelines or model workflows. This is high urgency for teams using picklescan as a gate before deserialization, but lower where pickle loading is absent or strictly trusted.
Technical view
The issue is a CWE-502 deserialization weakness in picklescan before 0.0.29. The scanner fails to detect the built-in trace.Trace.run function inside pickle reduce handling, allowing malicious code to remain undetected and execute when pickle.load processes the file.
Likely exposure
Exposure is most likely in ML, data science, CI, or application pipelines that scan pickle files before loading them. Risk depends on whether untrusted pickle files are accepted and whether affected picklescan versions are used.
Exploitation context
The CVE describes remote attackers crafting malicious pickle files that bypass detection and execute during pickle.load. The provided bundle does not show CISA KEV listing or confirmed active exploitation.
Researcher notes
Evidence is limited to the CVE bundle, GitHub advisory, and VulnCheck reference. Validate exact affected version semantics against vendor advisory because the bundle states “before 0.0.29” while also listing version boundary data.
Mitigation direction
Upgrade picklescan to 0.0.29 or a later vendor-supported release.
Avoid loading pickle files from untrusted or unauthenticated sources.
Treat previous picklescan results for untrusted pickle files as insufficient assurance.
Review vendor advisory guidance for any additional remediation steps.
Add controls that restrict where deserialization can run.
Validation and detection
Inventory picklescan usage across CI, ML, and data ingestion workflows.
Confirm installed picklescan versions are not earlier than 0.0.29.
Identify workflows that call pickle.load on externally supplied files.
Review recent pickle files accepted from untrusted parties.
Check whether deserialization runs with unnecessary privileges or network access.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.