Description
picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

picklescan before version 0.0.33 contains a flaw that allows attackers to bypass its deny‑list. The unprotected pydoc.locate and operator.methodcaller functions can be used to embed malicious payloads in pickle data. When an attacker supplies a crafted pickle file to a deserializing component, the application can execute arbitrary code in the context of the running process, as described by CWE-184.

Affected Systems

The affected product is picklescan by mmaitre314. All releases prior to 0.0.33 are impacted. Systems that import and deserialize pickles using picklescan without additional input filtering remain vulnerable. The vulnerability exists in the core deserialization routine that accepts untrusted data.

Risk and Exploitability

The CVSS score of 9.3 indicates a severe risk, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers would need remote access to send a malicious pickle to a service that uses picklescan, which is a typical remote code execution vector. The remote attacker can trigger the flaw by transmitting a specially crafted pickle file that takes advantage of the unfiltered pydoc.locate or operator.methodcaller paths.

Generated by OpenCVE AI on June 18, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to version 0.0.33 or later, which removes the insecure functions from serialized payload handling.
  • If an immediate upgrade is not possible, isolate the deserialization code so that it runs with the least privilege; avoid executing the pickle in privileged services.
  • Review configuration and code to eliminate use of pydoc.locate and operator.methodcaller during pickling operations; explicitly whitelist allowed callables or use a safe deserialization routine that refuses arbitrary functions.

Generated by OpenCVE AI on June 18, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-84r2-jw7c-4r5q Picklescan has Incomplete List of Disallowed Inputs
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.
Title picklescan - Remote Code Execution via Incomplete Disallowed Inputs
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-184
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Mmaitre314 Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T17:54:59.297Z

Reserved: 2026-06-08T20:44:31.209Z

Link: CVE-2025-71320

cve-icon Vulnrichment

Updated: 2026-06-17T17:51:10.887Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T17:45:13Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs