CVE-2025-71322

HIGH

PickleScan - Unsafe Globals Check Bypass via pty.spawn Function

Title source: cna
STIX 2.1

Description

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-hgrh-qx5j-jfwx
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-hgrh-qx5j-jfwx
Third Party Advisory third-party-advisory
VulnCheck Advisory: PickleScan - Unsafe Globals Check Bypass via pty.spawn Function
https://www.vulncheck.com/advisories/picklescan-unsafe-globals-check-bypass-via-pty-spawn-function

Scores

CVSS v3 8.8
EPSS 0.0038
EPSS Percentile 30.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-693
Status published
Products (3)
PickleScan/PickleScan < 0.0.33
PickleScan/PickleScan 0.0.33
pypi/picklescan 0 - 0.0.33PyPI
Published Jun 17, 2026
Tracked Since Jun 17, 2026