CVE-2025-71362: picklescan - Arbitrary Code Execution via Unsafe Deserialization in numpy.f2py.crackfortran
picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources.
Security readout for executives and security teams
Plain-English summary
CVE-2025-71362 affects picklescan, a tool intended to detect unsafe Python pickle content. Versions before 0.0.33 can miss a dangerous pattern involving numpy.f2py.crackfortran. If an organization trusts picklescan to vet untrusted pickle files, malicious code may execute later when those files are loaded.
Executive priority
Prioritize for teams handling external ML models, datasets, or Python artifacts. The business risk is supply-chain code execution through trusted scanning workflows, not broad internet-facing compromise.
Technical view
The issue is CWE-502 unsafe deserialization detection failure. picklescan before 0.0.33 does not flag pickle payloads that reach numpy.f2py.crackfortran functions using eval on attacker-controlled strings. CVSS is 8.1, network attack vector, low complexity, no privileges, and user interaction required.
Likely exposure
Exposure is most likely in ML, data science, or supply-chain workflows that scan third-party pickle files before loading them. Systems not using picklescan, or not processing untrusted pickle files, are less likely to be affected.
Exploitation context
The provided sources do not report active exploitation, and this CVE is not listed as KEV. Exploitation requires a user or workflow to load a malicious pickle from an untrusted source after picklescan fails to identify it.
Researcher notes
Evidence is limited to the CVE bundle, GitHub advisory, and VulnCheck advisory. The key concern is a detection bypass in a security tool, so validation should focus on dependency versions and whether picklescan is used as a gate before deserialization.
Mitigation direction
Upgrade picklescan to 0.0.33 or later if vendor guidance confirms it as fixed.
Do not load pickle files from untrusted sources, even after scanning.
Add policy controls for model and artifact provenance.
Monitor the GitHub advisory for updated remediation details.
Validation and detection
Inventory where picklescan is installed and used.
Confirm installed picklescan versions are 0.0.33 or later.
Identify workflows that accept external pickle, model, or artifact files.
Review whether untrusted pickles are loaded after scan-only approval.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.