CVE-2025-71325

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigger unexpected exceptions and evade security scanning.

Vulnerability Details

Published Date

June 17, 2026

Last Modified

June 17, 2026

CWE ID

CWE-391

Source

NVD

Vendor

picklescan

Product

picklescan

External References

https://github.com/mmaitre314/picklescan/commit/2a8383cfeb4158567f9770d86597300c9e508d0f
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfr
https://www.vulncheck.com/advisories/picklescan-detection-bypass-via-stack-global-opcode-parsing-logic-flaw
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfr

CVE-2025-71325

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment