Description
picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when the file is loaded via pickle.load(), enabling supply chain attacks on PyTorch models and saved Python objects. This is fixed in version 0.0.30.
Published: 2026-06-25
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious pickle file can embed calls to idlelib.pyshell.ModifiedInterpreter.runcode inside its __reduce__ method; when that file is deserialized with pickle.load(), the code runs with the privileges of the process loading it. This flaw permits arbitrary command execution in applications that use picklescan to load or process serialized data, such as PyTorch models and other Python objects, and is classified as a serialization vulnerability (CWE-502).

Affected Systems

picklescan prior to version 0.0.30, specifically 0.0.26 and earlier, are affected. The issue is fixed in picklescan 0.0.30 and later releases.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity for this vulnerability. Although EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog, the possibility of executing arbitrary code when loading benign-looking files makes the risk substantial. The attack vector is file-based or supply‑chain: an attacker can deliver a crafted pickle file that triggers execution upon load. Any system that accepts pickle input from untrusted sources and uses picklescan to process it faces a direct threat of code execution and potential compromise of confidentiality, integrity, and availability.

Generated by OpenCVE AI on June 25, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to version 0.0.30 or newer to apply the vendor patch.
  • Validate or sanitize all pickle inputs, rejecting any data that originates from untrusted or externally supplied sources.
  • If an upgrade is not immediately possible, load pickle files in a sandboxed environment and ensure the process executing pickle.load() runs with minimal privileges.

Generated by OpenCVE AI on June 25, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Picklescan
Picklescan picklescan
Vendors & Products Picklescan
Picklescan picklescan

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when the file is loaded via pickle.load(), enabling supply chain attacks on PyTorch models and saved Python objects. This is fixed in version 0.0.30.
Title picklescan - Remote Code Execution via idlelib.pyshell.ModifiedInterpreter.runcode
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-502
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mmaitre314 Picklescan
Picklescan Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T13:41:04.662Z

Reserved: 2026-06-20T01:48:36.756Z

Link: CVE-2025-71340

cve-icon Vulnrichment

Updated: 2026-06-26T13:41:00.531Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:15:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data