picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigger unexpected exceptions and evade security scanning.
CVE-2025-71325
Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2026-06-17. a secondary CVSS source baseline 9.8; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 37.8%
- KEV
- Not listed
Published
June 17, 2026
Last Modified
June 17, 2026
Advisory Details (3)
Auto-updated Jun 29, 2026Pickle parsing logic flaw leads to malicious pickle file bypass · Advisory · mmaitre314/picklescan · GitHub
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9gvj-pp9x-gcfrpicklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw | Advisories | VulnCheck
https://www.vulncheck.com/advisories/picklescan-detection-bypass-via-stack-global-opcode-parsing-logic-flawcommit 2a8383cfeb41 (mmaitre314/picklescan)
Patch available: mmaitre314/picklescan v0.0.26 (contains commit 2a8383cfeb41)
https://github.com/mmaitre314/picklescan/commit/2a8383cfeb4158567f9770d86597300c9e508d0fVendor Advisories for CVE-2025-71325(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| picklescan | 0.0.1 ... 0.0.9 (26 versions) | 0.0.27 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Frequently asked(5)
What is CVE-2025-71325?
When was CVE-2025-71325 disclosed?
Is CVE-2025-71325 actively exploited?
What is the CVSS score of CVE-2025-71325?
How do I remediate CVE-2025-71325?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2025-71325
Is Your Infrastructure Affected by CVE-2025-71325?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.