Description
picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply chain attacks.
Published: 2026-06-21
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Picklescan before version 0.0.28 fails to detect malicious pickle files that use torch.utils._config_module.load_config inside reduce methods. Attackers can craft pickle files that embed arbitrary code that bypasses scan checks and executes during pickle.load, allowing remote code execution in supply chain attacks. This is a classic deserialization vulnerability (CWE-502) that can compromise confidentiality, integrity, and availability of systems that rely on picklescan for dependency validation.

Affected Systems

The vulnerability affects the picklescan product from the vendor picklescan. All releases prior to version 0.0.28 are impacted. Users running earlier versions of the tool are at risk if they process untrusted pickle input.

Risk and Exploitability

With a CVSS score of 7.6, the technical impact is high, but EPSS data is not available to gauge likelihood. The weakness is not currently listed in the CISA KEV catalog, indicating no publicly known exploitation data at this time. The likely attack vector is supply‑chain or direct injection of malicious pickle payloads into environments where picklescan is invoked to load dependency data. An attacker can deliver a crafted pickle to the scan process, which will trigger execution of arbitrary code.

Generated by OpenCVE AI on June 21, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to version 0.0.28 or later to contain the fix.
  • If an upgrade cannot be performed immediately, run picklescan only on pickle files that are verified as trusted and do not accept external payloads from untrusted sources.
  • Consider switching to an alternative dependency‑scanning tool that does not rely on Python pickles, or add an integrity check to detect malicious pickle content before it is processed.

Generated by OpenCVE AI on June 21, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Picklescan
Picklescan picklescan
Vendors & Products Picklescan
Picklescan picklescan

Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply chain attacks.
Title picklescan - Arbitrary Code Execution via torch.utils._config_module.load_config Bypass
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-502
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mmaitre314 Picklescan
Picklescan Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-21T13:26:48.046Z

Reserved: 2026-06-20T12:48:06.735Z

Link: CVE-2025-71348

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T18:15:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data