Parsing Logic Error in Picklescan Leading to Security Bypass
CVE-2025-71325

9.3CRITICAL

Key Information:

Vendor

Picklescan

Status
Picklescan
Vendor
CVE Published:
17 June 2026

What is CVE-2025-71325?

The affected versions of Picklescan feature a critical parsing logic error within the _list_globals function, specifically when processing STACK_GLOBAL opcodes. This flaw inadvertently fails to properly track arguments within designated ranges, enabling attackers to exploit this vulnerability by crafting malicious pickle files that utilize position zero arguments. Consequently, this may lead to unexpected exceptions, effectively allowing these files to evade the security scanning mechanisms designed to protect users from harmful content.

Affected Version(s)

picklescan 0 < 0.0.27

picklescan 0.0.27

References

https://github.com/mmaitre314/picklescan/security/advisor...
vendor-advisory
https://github.com/mmaitre314/picklescan/commit/2a8383cfe...
patch
https://www.vulncheck.com/advisories/picklescan-detection...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lyutoon
.