CVE-2025-71357
published 2026-06-21CVE-2025-71357: picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed…
PriorityP342high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.28%
19.3th percentile
picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mmaitre314 | picklescan | < 0.0.30 | 0.0.30 |
| picklescan | picklescan | < 0.0.30 | 0.0.30 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.6HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
picklescan up to 0.0.29 idlelib.pyshell.ModifiedInterpreter.runcommand deserialization (GHSA-j343-8v2j-ff7w / EUVD-2025-210293)
vuldb·2026-06-21·CVSS 8.1
CVE-2025-71357 [HIGH] picklescan up to 0.0.29 idlelib.pyshell.ModifiedInterpreter.runcommand deserialization (GHSA-j343-8v2j-ff7w / EUVD-2025-210293)
A vulnerability identified as critical has been detected in picklescan up to 0.0.29. Impacted is the function idlelib.pyshell.ModifiedInterpreter.runcommand. This manipulation causes deserialization.
The identification of this vulnerability is CVE-2025-71357. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods.
ghsa_unreviewed·2026-06-21
CVE-2025-71357 [HIGH] CWE-502 picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods.
picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-21
Published