Description
picklescan before 0.0.28 fails to detect malicious pickle files that exploit torch._dynamo.guards.GuardBuilder.get function in reduce methods. Attackers can craft pickle files with embedded code that evades picklescan detection and executes arbitrary commands when loaded.
Published: 2026-07-04
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

picklescan versions prior to 0.0.28 contain an insecure deserialization flaw that fails to detect malicious pickle files using the torch._dynamo.guards.GuardBuilder.get function in reduce methods. Attackers can embed arbitrary code within these pickles, which is executed when the file is loaded, allowing complete control over the process running picklescan. The weakness is classified as CWE-502, indicating an insecure deserialization vulnerability capable of granting remote code execution.

Affected Systems

The affected product is picklescan (picklescan). All releases before 0.0.28 are vulnerable; version 0.0.28 or later includes the fix that properly validates and rejects malicious pickle payloads. Users deploying picklescan in any environment where untrusted pickle data may be processed are impacted.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, but the EPSS score of 0.003 suggests a low probability of exploitation while still being non-zero. The vulnerability is not listed in CISA KEV, indicating no known widespread exploitation yet. Based on the description, the likely attack vector is via submission of a crafted pickle file into any context where picklescan loads data, such as file uploads, network services, or local scripts that deserialize user input. If successful, an attacker can execute arbitrary commands on the host running picklescan.

Generated by OpenCVE AI on July 5, 2026 at 04:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to version 0.0.28 or later to apply the vendor-supplied fix for the deserialization issue.
  • Restrict the use of pickle files to trusted sources only, and employ application-level checks to confirm the origin before loading.
  • If untrusted data must be processed, replace pickle with a safer serialization format such as JSON or use secure deserialization libraries that validate the payload before execution.

Generated by OpenCVE AI on July 5, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Picklescan
Picklescan picklescan
Vendors & Products Picklescan
Picklescan picklescan

Sat, 04 Jul 2026 01:45:00 +0000

Type Values Removed Values Added
Description picklescan before 0.0.28 fails to detect malicious pickle files that exploit torch._dynamo.guards.GuardBuilder.get function in reduce methods. Attackers can craft pickle files with embedded code that evades picklescan detection and executes arbitrary commands when loaded.
Title picklescan - Remote Code Execution via torch._dynamo.guards.GuardBuilder.get
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-502
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Mmaitre314 Picklescan
Picklescan Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-04T01:23:34.482Z

Reserved: 2026-06-20T12:55:02.882Z

Link: CVE-2025-71353

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T04:15:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data