CVE-2025-71321
CRITICALpicklescan - Arbitrary File Writing via distutils Module Bypass
Title source: cnaDescription
picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code execution.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-m273-6v24-x4m4
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4
Third Party Advisory third-party-advisory
VulnCheck Advisory: picklescan - Arbitrary File Writing via distutils Module Bypass
https://www.vulncheck.com/advisories/picklescan-arbitrary-file-writing-via-distutils-module-bypass
Scores
CVSS v3
9.8
EPSS
0.0062
EPSS Percentile
45.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (3)
picklescan/picklescan
< 0.0.33
picklescan/picklescan
0.0.33
pypi/picklescan
0 - 0.0.33PyPI
Published
Jun 17, 2026
Tracked Since
Jun 17, 2026