Vulnerability-Lookup

PYSEC-2026-247

Vulnerability from pysec - Published: 2026-06-21 14:16 - Updated: 2026-06-27 10:29

Details

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().

Severity

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impacted products

Name	purl
picklescan	pkg:pypi/picklescan

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {},
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan",
        "purl": "pkg:pypi/picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.0.10",
        "0.0.11",
        "0.0.12",
        "0.0.13",
        "0.0.14",
        "0.0.15",
        "0.0.16",
        "0.0.17",
        "0.0.18",
        "0.0.19",
        "0.0.2",
        "0.0.20",
        "0.0.21",
        "0.0.22",
        "0.0.23",
        "0.0.24",
        "0.0.25",
        "0.0.26",
        "0.0.27",
        "0.0.28",
        "0.0.29",
        "0.0.3",
        "0.0.4",
        "0.0.5",
        "0.0.6",
        "0.0.7",
        "0.0.8",
        "0.0.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-71378",
    "GHSA-9w88-8rmg-7g2p"
  ],
  "details": "picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().",
  "id": "PYSEC-2026-247",
  "modified": "2026-06-27T10:29:13.799417Z",
  "published": "2026-06-21T14:16:23.140Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-cprofile-runctx-in-pickle-files"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-71378 (GCVE-0-2025-71378)

Vulnerability from cvelistv5 – Published: 2026-06-21 13:26 – Updated: 2026-06-23 02:46

Title

picklescan - Remote Code Execution via Undetected cProfile.runctx in Pickle Files

Summary

Severity

7.6 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

VulnCheck

References

2 references

URL	Tags
https://github.com/mmaitre314/picklescan/security…	vendor-advisory
https://www.vulncheck.com/advisories/picklescan-r…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
picklescan	picklescan	Affected: 0 , < 0.0.30 (semver) Unaffected: 0.0.30 (semver)

Date Public

2025-08-26 00:00

Credits

FredericDT

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-71378",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T02:45:43.134054Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T02:46:13.773Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:pypi/picklescan",
          "product": "picklescan",
          "vendor": "picklescan",
          "versions": [
            {
              "lessThan": "0.0.30",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "0.0.30",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.0.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "FredericDT"
        }
      ],
      "datePublic": "2025-08-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load()."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-21T13:26:50.106Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GHSA Advisory GHSA-9w88-8rmg-7g2p",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p"
        },
        {
          "name": "VulnCheck Advisory: picklescan - Remote Code Execution via Undetected cProfile.runctx in Pickle Files",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-cprofile-runctx-in-pickle-files"
        }
      ],
      "title": "picklescan - Remote Code Execution via Undetected cProfile.runctx in Pickle Files",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-71378",
    "datePublished": "2026-06-21T13:26:50.106Z",
    "dateReserved": "2026-06-20T13:11:44.728Z",
    "dateUpdated": "2026-06-23T02:46:13.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-9W88-8RMG-7G2P

Vulnerability from github – Published: 2025-08-26 21:38 – Updated: 2025-08-26 21:38

Summary

Picklescan is missing detection when calling built-in python cProfile.runctx

Details

Summary

Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to cProfile.runctx function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

import cProfile

class EvilCProfileRunctx:
    def __reduce__(self):
        # cProfile.runctx(cmd, globals, locals) -> exec(cmd, ...)
        return cProfile.runctx, ("__import__('os').system('whoami')", None, None)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-26T21:38:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nUsing cProfile.runctx function, which is a built-in python library function to execute remote pickle file.\n\n### Details\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to cProfile.runctx function in reduce method\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn\u0027t dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n\n```\nimport cProfile\n\nclass EvilCProfileRunctx:\n    def __reduce__(self):\n        # cProfile.runctx(cmd, globals, locals) -\u003e exec(cmd, ...)\n        return cProfile.runctx, (\"__import__(\u0027os\u0027).system(\u0027whoami\u0027)\", None, None)\n```\n\n### Impact\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n\n### Corresponding\n\nhttps://github.com/FredericDT\nhttps://github.com/Qhaoduoyu",
  "id": "GHSA-9w88-8rmg-7g2p",
  "modified": "2025-08-26T21:38:36Z",
  "published": "2025-08-26T21:38:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/1931c2d04eaca8d20597705ff39cab78ba364e4b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Picklescan is missing detection when calling built-in python cProfile.runctx"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2026-247

CVE-2025-71378 (GCVE-0-2025-71378)

GHSA-9W88-8RMG-7G2P

Summary

Details

PoC

Impact

Corresponding

Tags

Sightings

Nomenclature