CVE-2025-71349

Source
https://cve.org/CVERecord?id=CVE-2025-71349
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71349.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-71349
Aliases
Published
2026-06-30T22:08:16.039Z
Modified
2026-07-15T01:48:51.649385479Z
Severity
  • 7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
picklescan - Arbitrary Code Execution via Undetected trace.Trace.run in Pickle Files
Details

picklescan before 0.0.29 fails to detect the built-in trace.Trace.run function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using trace.Trace.run in the reduce method to achieve arbitrary code execution when pickle.load processes the file.

Database specific
{
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71349.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/mmaitre314/picklescan

Affected ranges

Type
GIT
Repo
https://github.com/mmaitre314/picklescan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.29"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71349.json"