← Back to CVEs
CVE-2025-1716
CRITICAL9.8
Description
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published2/26/2025
Last Modified12/29/2025
Sourcenvd
Honeypot Sightings0
Affected Products
mmaitre314:picklescan
Weaknesses (CWE)
CWE-184
References
https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d(103e4ec9-0a87-450b-af77-479448ddef11)
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v(103e4ec9-0a87-450b-af77-479448ddef11)
https://www.sonatype.com/security-advisories/cve-2025-1716(103e4ec9-0a87-450b-af77-479448ddef11)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.