External risk intelligence

Picklescan Incomplete Deny-list Allows Arbitrary Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2025-71320

A vulnerability in picklescan allows attackers to bypass security checks by crafting malicious pickle files, potentially leading to arbitrary code execution during deserialization. The affected technology is picklescan, a developer tool, and the concern is whether it is used in environments where it might process untru

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

Picklescan is a developer-focused security tool used for static analysis of files, typically integrated into build pipelines, CI/CD processes, or local development workflows. It is not designed to be a public-facing network service or internet edge component, making public exposure in real-world deployments very unlikely.

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in picklescan, a tool used for analyzing files. This issue could allow an attacker to execute arbitrary code by tricking the tool into processing a specially crafted file. The primary concern is to determine if this tool is in use within your environment and, if so, to understand its potential exposure.

  • Malicious files can bypass security checks.
  • Used in development pipelines, not production.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

Attackers can leverage an incomplete deny-list within picklescan to bypass security checks by crafting malicious pickle files. When these specially crafted files are deserialized, the unblocked functions can lead to arbitrary code execution.

  • Unauthenticated remote access required.
  • Malicious pickle file deserialization.
  • Arbitrary code execution risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary code on a system when processing a specially crafted pickle file. This occurs when the `picklescan` utility, before version 0.0.33, fails to properly block certain Python functions during deserialization.

  • Arbitrary code execution on the system.
  • Malicious pickle files could be processed.
  • System compromise and data loss.

Operational Fix

Recommended remediation, mitigation, and detection steps

The development tool "picklescan" is likely used by security-focused developers or within CI/CD pipelines. Initial triage should focus on identifying development and build environments where this tool might be executed, confirming if any deserialization of untrusted pickle files could occur, and then engaging the relevant development or platform teams to coordinate remediation.

  • Identify development/CI/CD environments using the tool.
  • Verify untrusted pickle file deserialization exposure.
  • Coordinate with development teams for remediation.

Supplementary metadata

PCI scan relevance

Yes

CVE-2025-71320 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI relevant because it allows remote attackers to achieve arbitrary code execution by bypassing security checks through malicious pickle files.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is picklescan and how is it used?

Picklescan is a developer-focused security utility designed to perform static analysis on pickle files. Because the Python pickle module can be inherently dangerous, developers use this tool to scan files for potentially malicious code before they are loaded or deserialized. It is typically integrated into local development workflows, automated build pipelines, or CI/CD processes to verify the safety of data imports.

What does CVE-2025-71320 mean for picklescan?

This vulnerability is an incomplete deny-list weakness, categorized as CWE-184. It means the security tool fails to block specific, dangerous Python functions like pydoc.locate. Because these functions remain allowed, an attacker can create a crafted pickle file that hides malicious commands. When picklescan processes this file, it fails to identify the threat, inadvertently allowing the file to execute arbitrary code on the system.

How can an attacker trigger this vulnerability?

An attacker triggers this issue by supplying a specially crafted pickle file to the vulnerable version of picklescan. The bug does not trigger during standard file operations or when scanning legitimate, safe files; it only activates when the tool attempts to inspect a malicious file containing the specific unblocked functions. If the tool is not actively scanning untrusted or external files, the risk of triggering this execution path is significantly reduced.

Do I need to worry about this if I use picklescan?

Halo Surface Signal indicates that public exposure of this tool is very unlikely because it is not designed to be an internet-facing network service. You should primarily care if you integrate picklescan into automated pipelines that handle untrusted, externally sourced pickle files. If your usage is limited to internal, trusted files, the practical risk of remote exploitation remains low.

How do I respond to the picklescan vulnerability?

First, conduct an audit of your development and CI/CD environments to identify where picklescan is currently deployed. Once located, verify if those instances process untrusted pickle files from external sources. The recommended response is to update picklescan to version 0.0.33 or later, which resolves the deny-list incompleteness. Coordinate these updates with your development or platform engineering teams.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished