Arbitrary Code Execution in Picklescan Affects Open Source Software
CVE-2025-71345

7.6HIGH

Key Information:

Vendor

Picklescan

Vendor
CVE Published:
4 July 2026

What is CVE-2025-71345?

The vulnerability in Picklescan prior to version 0.0.30 allows attackers to exploit the deserialization process of pickle files. By embedding malicious code within these files, attackers can invoke the function torch.utils.bottleneck.main.run_autograd_prof during deserialization, leading to the execution of arbitrary code on the affected system. This poses a significant risk as it can enable remote attacks and compromise system integrity. Users of Picklescan are advised to upgrade to the latest version to mitigate this threat.

Affected Version(s)

picklescan 0 < 0.0.30

picklescan 0.0.30

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

FredericDT
.