CVE-2025-71378

Exploit

EPSS 0.31%
Veröffentlicht 21.06.2026 13:26:50
Zuletzt bearbeitet 26.06.2026 14:12:04
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

picklescan - Remote Code Execution via Undetected cProfile.runctx in Pickle Files

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mmaitre314 ≫ Picklescan Version < 0.0.30

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.229

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
disclosure@vulncheck.com	7.6	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p

Vendor Advisory

Exploit

https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-cprofile-runctx-in-pickle-files

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-71378

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-71378

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-71378

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-71378