picklescan – Arbitrary Code Execution via numpy.f2py.crackfortran.myeval Detection Bypass

7.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded.

Basic Information

ID CVE-2025-71365

Source VulnCheck

Published Jun 23, 2026 at 12:12

Affected Product

Vendor picklescan

Product picklescan

Affected Versions picklescan picklescan 0

CWE Classification

CWE-502

References

{
    "lastseen": "",
    "description": "picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded.",
    "published": "2026-06-23T12:12:53.900Z",
    "modified": "2026-06-23T12:12:53.900Z",
    "type": "cve",
    "title": "picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran.myeval Detection Bypass",
    "source": "VulnCheck",
    "references": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3329-ghmp-jmv5\nhttps://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-numpy-f2py-crackfortran-myeval-detection-bypass",
    "id": "CVE-2025-71365",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "picklescan picklescan 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "picklescan",
    "version": "0",
    "vendor": "picklescan",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

picklescan – Arbitrary Code Execution via numpy.f2py.crackfortran.myeval Detection Bypass_CVE-2025-71365