CVE-2025-71322
HIGHPickleScan - Unsafe Globals Check Bypass via pty.spawn Function
Title source: cnaDescription
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-hgrh-qx5j-jfwx
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx
Third Party Advisory third-party-advisory
VulnCheck Advisory: PickleScan - Unsafe Globals Check Bypass via pty.spawn Function
https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function
Scores
CVSS v3
8.8
EPSS
0.0038
EPSS Percentile
30.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-693
Status
published
Products (3)
PickleScan/PickleScan
< 0.0.33
PickleScan/PickleScan
0.0.33
pypi/picklescan
0 - 0.0.33PyPI
Published
Jun 17, 2026
Tracked Since
Jun 17, 2026