Description
picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.
Published: 2026-06-22
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

picklescan before 0.0.30 fails to detect calls to the standard library's ensurepip._run_pip function when scanning pickle data, allowing an attacker to embed such calls in a malicious pickle's __reduce__ method. Loading the pickle file with pickle.load() will trigger the hidden function and execute arbitrary code in the process. The weakness is a classic deserialization flaw (CWE-502) that results in full code execution.

Affected Systems

The vulnerability affects the picklescan utility provided by mmaitre314. Versions 0.0.26 and earlier are impacted; any deployment of these releases is susceptible to exploitation.

Risk and Exploitability

The assessed CVSS score of 7.6 indicates high potential impact. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, suggesting that public exploits may not yet exist but the risk remains significant. Based on the description, the likely attack vector is an attacker who can supply a crafted pickle file to a system that loads such data using picklescan; upon deserialization, the system will execute the injected code.

Generated by OpenCVE AI on June 22, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to version 0.0.30 or later, which removes the instrumentation that fails to detect ensurepip._run_pip calls.
  • Use controlled and trusted sources for pickle files, and avoid loading untrusted data with pickle.load().
  • When deserialization of external data is unavoidable, run the process in a sandbox or with reduced privileges to contain any potential code execution.
  • Consider implementing checksum verification or alternative, safer serialization formats to prevent malicious pickle files from being processed.

Generated by OpenCVE AI on June 22, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xp4f-hrf8-rxw7 Picklescan is missing detection when calling built-in python ensurepip._run_pip
History

Tue, 23 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Picklescan
Picklescan picklescan
Vendors & Products Picklescan
Picklescan picklescan

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.
Title picklescan - Arbitrary Code Execution via Undetected ensurepip._run_pip Function
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-502
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mmaitre314 Picklescan
Picklescan Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:41.975Z

Reserved: 2026-06-20T12:48:06.735Z

Link: CVE-2025-71344

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T02:15:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data