CVE-2025-71368: picklescan - Arbitrary Code Execution via Undetected doctest.debug_script
picklescan before 0.0.30 fails to detect the doctest.debug_script function when analyzing pickle files, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files embedding doctest.debug_script calls that bypass picklescan detection and execute arbitrary commands upon pickle.load invocation.
Security readout for executives and security teams
Plain-English summary
This flaw affects organizations that use picklescan to screen Python pickle files before loading them. A malicious pickle could pass scanning because a dangerous doctest function was not detected, then run code when another process loads it. The business risk is highest where untrusted model, data, or artifact files are accepted from outside parties.
Executive priority
Prioritize this for teams handling external ML models, datasets, or serialized Python artifacts. It is not listed as actively exploited in the provided sources, but the impact is high because a trusted scanning control can fail before code execution.
Technical view
picklescan before 0.0.30 did not detect doctest.debug_script in pickle analysis. The CVE describes a CWE-502 deserialization risk: a crafted pickle can evade picklescan detection and execute arbitrary commands when pickle.load is later invoked. CVSS 3.1 is 8.1, with network attack vector, low complexity, no privileges, and required user interaction.
Likely exposure
Exposure is likely in ML, data science, CI, or artifact-ingestion workflows that rely on picklescan as a gate before loading pickle files. Systems that never process untrusted pickle files have lower practical exposure.
Exploitation context
The bundle does not show KEV listing or confirmed active exploitation. Exploitation requires a target workflow to receive a malicious pickle and later load it. The source bundle supports bypass and code execution risk, but not public weaponization status.
Researcher notes
Focus validation on trust boundaries around pickle ingestion, not only package presence. The key evidence is a missed dangerous global involving doctest.debug_script. The record supports arbitrary code execution on later deserialization, but does not provide exploit-in-the-wild evidence.
Mitigation direction
Upgrade picklescan to 0.0.30 or later per vendor guidance.
Avoid loading pickle files from untrusted or unauthenticated sources.
Treat prior picklescan approvals of external pickle files as unreliable.
Add policy controls for model and artifact provenance.
Check vendor advisories for any additional fix guidance.
Validation and detection
Inventory systems and pipelines that install or invoke picklescan.
Confirm deployed picklescan versions are not earlier than 0.0.30.
Identify workflows that call pickle.load on externally supplied files.
Review recent accepted pickle artifacts from untrusted sources.
Verify dependency lockfiles and container images include the fixed version.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
3Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.