CVE-2025-71353: picklescan - Remote Code Execution via torch._dynamo.guards.GuardBuilder.get
picklescan before 0.0.28 fails to detect malicious pickle files that exploit torch._dynamo.guards.GuardBuilder.get function in reduce methods. Attackers can craft pickle files with embedded code that evades picklescan detection and executes arbitrary commands when loaded.
Security readout for executives and security teams
Plain-English summary
This flaw affects picklescan, a tool meant to detect unsafe Python pickle files. Versions before 0.0.28 can miss a malicious pickle technique involving PyTorch internals. If someone later loads that pickle, embedded commands may run. The main business risk is misplaced trust in a scan result for ML or Python artifacts.
Executive priority
Treat this as high priority for teams handling ML models or Python serialized artifacts. The vulnerability weakens a safety control and can lead to command execution if unsafe artifacts are loaded. Prioritize upgrade and workflow review over broad emergency response unless exposed deserialization paths exist.
Technical view
CVE-2025-71353 is a CWE-502 deserialization detection bypass in picklescan before 0.0.28. Malicious pickle content using torch._dynamo.guards.GuardBuilder.get in reduce methods can evade detection and execute arbitrary commands when deserialized. CVSS 3.1 is 8.1, with network attack vector and required user interaction.
Likely exposure
Exposure is most likely in ML, data science, or CI pipelines that scan pickle, model, or artifact files with vulnerable picklescan versions, then deserialize files based on scan results. Systems that do not use picklescan or do not load pickle files are not indicated as exposed by the bundle.
Exploitation context
The bundle describes attacker-crafted pickle files that evade detection and execute when loaded. It does not cite active exploitation, and KEV status is false. Practical exploitation still depends on a victim workflow accepting and loading a malicious pickle after relying on a vulnerable scan result.
Researcher notes
The key issue is not that picklescan executes code directly, but that it can fail to flag a malicious pickle pattern. Evidence provided identifies affected versions as before 0.0.28 and names the PyTorch GuardBuilder.get reduce-method technique. No exploit-in-the-wild evidence is included.
Mitigation direction
Upgrade picklescan to 0.0.28 or later where used.
Do not load untrusted pickle files, even after scanning.
Add sandboxing around pickle deserialization workflows.
Review vendor advisories before relying on scanner coverage.
Re-scan stored pickle artifacts after upgrading.
Validation and detection
Inventory environments using picklescan and record versions.
Identify workflows that deserialize pickle files after scanning.
Check CI, model registry, and notebook pipelines for pickle handling.
Confirm vulnerable versions are removed from lockfiles and images.
Review logs for unexpected pickle artifact ingestion.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.