picklescan - Remote Code Execution via timeit.timeit() Detection Bypass | Advisories

Advisories

picklescan - Remote Code Execution via timeit.timeit() Detection Bypass

severity: high
date: 6/21/2026
Affecting: picklescan >= 0, < 0.0.25
CVE: CVE-2025-71351
CWE: CWE-184 Incomplete List of Disallowed Inputs
CVSS: 7.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-v7x6-rv5q-mhwc
Credit: SeaW1nd
Description: picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo