CVE: CVE-2026-56315, CVE-2025-71376, CVE-2025-71370, CVE-2025-71365, CVE-2025-71341 | CVSS 3.1: 9.8 (CVE-2026-56315) / 8.1 (4x) | CWE: CWE-693 | Vendor: picklescan | Product: picklescan | Affected versions: < 1.0.4
What Is the Vulnerability
picklescan is the de facto security scanner for Python pickle files — used by Hugging Face, major ML registries, and organizations worldwide to screen serialized models for malicious code before deserialization. Five bypass vulnerabilities have been disclosed that collectively undermine the tool’s core security guarantees.
CVE-2026-56315 (CVSS 9.8): The scanner fails to block seven Python standard library modules — including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib — that expose eight distinct arbitrary command execution functions. Malicious pickle files leveraging these modules pass undetected.
Four additional bypasses (CVSS 8.1 each): CVE-2025-71376 (idlelib.autocomplete), CVE-2025-71370 (torch.jit.unsupported_tensor_ops), CVE-2025-71365 (numpy.f2py.crackfortran.myeval), and CVE-2025-71341 (profile.Profile.runctx) represent additional execution vectors that picklescan fails to detect, covering popular ML ecosystem components.
The combined impact is severe: any organization relying on picklescan as a safety gate for ML model ingestion has been operating with a false sense of security. Malicious actors can craft pickle files that execute arbitrary code while cleanly passing picklescan validation.
Versions Affected
- picklescan versions prior to 1.0.4
Exploited?
There is NO known active exploitation of these picklescan bypass vulnerabilities in the wild at this time. However, the ML supply chain is an increasingly attractive attack surface, and the ability to bypass the industry-standard pickle scanner with multiple independent methods makes exploitation highly probable. Organizations should assume that previously “cleared” pickle files may contain undetected malicious code.
Fix
Upgrade picklescan to version 1.0.4 or later, which closes all five bypass vectors by expanding the blocklist to include the identified stdlib modules and execution paths. After upgrading, a full re-scan of all previously scanned and approved pickle files is essential, as models that previously passed may now correctly flag as malicious.
Recommendations
- Upgrade picklescan to version 1.0.4+ immediately across all CI/CD pipelines, model registries, and developer workstations.
- Re-scan all previously approved pickle files — assume any pre-upgrade scan results are unreliable.
- Implement defense-in-depth for ML model ingestion: sandboxed deserialization, runtime monitoring, and network restrictions.
- Consider migrating to safer serialization formats (e.g., Safetensors) where feasible.
- Review and harden ML supply chain policies to account for scanner bypass risks.
References
- GitHub Security Advisory GHSA-g38g-8gr9-h9xp (CVE-2026-56315)
- NVD: CVE-2026-56315
- NVD: CVE-2025-71376
- NVD: CVE-2025-71370
- NVD: CVE-2025-71365
- NVD: CVE-2025-71341
Part of the Vulnerability Intelligence series on threat-modeling.com. See the June 24, 2026 Vulnerability Intelligence Report for broader context.
