CVE-2025-71359

Source
https://cve.org/CVERecord?id=CVE-2025-71359
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71359.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-71359
Aliases
Published
2026-07-04T01:23:35.892Z
Modified
2026-07-15T01:48:59.924725755Z
Severity
  • 7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
picklescan - Unsafe Deserialization via lib2to3.pgen2.grammar.Grammar.loads
Details

picklescan before 0.0.29 fails to detect malicious pickle payloads that utilize lib2to3.pgen2.grammar.Grammar.loads in the reduce method, allowing remote code execution. Attackers can craft pickle files embedding dangerous code that evades picklescan detection and executes during pickle.load() deserialization.

Database specific
{
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71359.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/mmaitre314/picklescan

Affected ranges

Type
GIT
Repo
https://github.com/mmaitre314/picklescan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.29"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71359.json"