CVE-2025-71359: picklescan - Unsafe Deserialization via lib2to3.pgen2.grammar.Grammar.loads
picklescan before 0.0.29 fails to detect malicious pickle payloads that utilize lib2to3.pgen2.grammar.Grammar.loads in the reduce method, allowing remote code execution. Attackers can craft pickle files embedding dangerous code that evades picklescan detection and executes during pickle.load() deserialization.
Security readout for executives and security teams
Plain-English summary
CVE-2025-71359 is a high-severity flaw in picklescan before 0.0.29. A malicious pickle file can hide dangerous behavior from the scanner and still execute when later deserialized with Python pickle.load(). The main business risk is trusting a scan result for untrusted model or pickle artifacts.
Executive priority
Prioritize remediation in AI, data science, and build pipelines that process third-party pickle artifacts. The issue undermines a security control rather than just an application dependency.
Technical view
picklescan fails to detect malicious pickle payloads that use lib2to3.pgen2.grammar.Grammar.loads in the reduce method. The issue maps to CWE-502 unsafe deserialization and has CVSS 8.1, with network attack vector, low complexity, no privileges, required user interaction, and high confidentiality and integrity impact.
Likely exposure
Exposure is most likely where teams scan untrusted pickle files, model artifacts, or Python serialized data with vulnerable picklescan versions before loading them in Python.
Exploitation context
The bundle does not show KEV listing or active exploitation evidence. Exploitation requires a victim workflow to deserialize a crafted pickle after scanner bypass.
Researcher notes
Evidence is limited to the CVE, GitHub advisory, and VulnCheck advisory in the bundle. Treat this as a scanner bypass with downstream RCE risk during pickle.load(), not as automatic compromise of picklescan installations.
Mitigation direction
Update picklescan to 0.0.29 or later, per the advisory version boundary.
Avoid deserializing untrusted pickle files, even after automated scanning.
Quarantine external pickle or model artifacts until vendor guidance is reviewed.
Add human review for high-risk serialized artifacts from third parties.
Monitor the GitHub advisory and CVE record for updated remediation details.
Validation and detection
Inventory systems and pipelines using picklescan.
Confirm installed picklescan versions are not before 0.0.29.
Review workflows that call pickle.load() on externally supplied artifacts.
Check artifact intake logs for untrusted pickle files accepted during the exposure window.
Verify scanner updates are deployed in CI, notebooks, and production pipelines.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.