External risk intelligence

Arbitrary File Write in picklescan via distutils File Write Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2025-71321

A vulnerability exists in picklescan that allows arbitrary file writing, potentially enabling attackers to overwrite critical system files and cause denial of service or remote code execution. Readers should care to determine if this technology is in use and accessible.

Deserialization

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

picklescan is a developer tool and library used for scanning pickle files, typically executed in local development, build, or offline analysis environments. It is not a network-facing service, appliance, or application component designed to be reachable from the public internet in common deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details an arbitrary file writing vulnerability in the picklescan technology. Attackers could exploit this to overwrite critical system files, potentially leading to denial of service or remote code execution by bypassing security measures. The primary concern is to confirm if this technology is in use and if it is exposed.

  • Allows writing to any file.
  • Executive concern: potential system disruption.
  • Confirm if this tool is relevant and used.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by crafting malicious pickle objects. These objects, when processed by the vulnerable component, could be used to overwrite critical system files. This could lead to a denial of service or allow the attacker to execute arbitrary code on the affected system.

  • Malicious pickle objects.
  • Overwrite critical system files.
  • Denial of service or code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to overwrite critical system files, potentially leading to denial of service or remote code execution, when a malicious pickle object is processed.

  • System files could be overwritten.
  • Malicious pickle objects could be processed.
  • Denial of service or code execution may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The `picklescan` tool, used for scanning pickle files, is generally employed by developers in local, build, or offline analysis environments. This means that direct external exposure is unlikely, and the primary responsibility for addressing this vulnerability will likely fall to development teams or those managing the build pipeline. The first practical step involves identifying where `picklescan` is used, confirming its reachability and criticality within the development or build process, and then coordinating with the accountable development or platform team to plan remediation.

  • Development teams own the issue.
  • Verify `picklescan` usage and context.
  • Update `picklescan` or manage its use.

Supplementary metadata

PCI scan relevance

Yes

CVE-2025-71321 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows arbitrary file writing, potentially enabling attackers to overwrite critical system files and achieve remote code execution, which would cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is picklescan?

Picklescan is a security utility that inspects Python pickle files to detect malicious or dangerous code before they are loaded. It is primarily integrated into development workflows, automated build pipelines, and offline data processing environments to safely evaluate untrusted pickle payloads, which are a common format for serializing complex Python objects.

What is the vulnerability in CVE-2025-71321?

This vulnerability is an arbitrary file write flaw, categorized as CWE-502, which concerns insecure deserialization. It occurs because the scanner's blocklist—designed to prevent dangerous operations—can be bypassed using specific components. By crafting a malicious pickle object, an attacker can trick the tool into writing to arbitrary locations on the host system, potentially overwriting critical files.

How can an attacker trigger this CVE-2025-71321 vulnerability?

The flaw is triggered when the tool processes a specially crafted, malicious pickle file. The vulnerability is tied to the scanning process itself; it is not triggered by simply having the library installed. Unless the tool is actively invoked to scan a compromised file, the execution path remains inactive.

Is my system at risk from this picklescan vulnerability?

According to Halo Surface Signal, this software is typically used in local development or internal build environments and is not a network-facing service. Therefore, it is very unlikely to be reachable from the public internet. Risk is highest if your automated pipelines process untrusted pickle files from external or unverified sources.

What should I do if my team uses picklescan?

First, identify all instances of the tool within your development and build pipelines. Coordinate with your development or platform engineers to confirm how the software is used and whether it processes untrusted input. Once identified, plan an update to a secure version of the library to mitigate the flaw.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished