← Back
2026-06-22 21:4CVE-2025-71339VulnCheck
PUBLISHED5.2CWE-502

Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran._eval_length Gadget

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation.

Problem type

Affected products

Picklescan

Picklescan

< 0.0.33 - AFFECTED

0.0.33 - UNAFFECTED

References

GitHub Security Advisory (GHSA-6556-fwc2-fg2p)

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p

vendor-advisory
VulnCheck Advisory: Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran._eval_length Gadget

https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-numpy-f2py-crackfortran-eval-length-gadget

third-party-advisory

GitHub Security Advisories

GHSA-6556-fwc2-fg2p

Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length

https://github.com/advisories/GHSA-6556-fwc2-fg2p

Summary

Picklescan uses the numpy.f2py.crackfortran._eval_length function (a NumPy F2PY helper) to execute arbitrary Python code during unpickling.

Details

Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran._eval_length in __reduce__, allowing arbitrary command execution when the pickle is loaded. A crafted object returns this function plus attacker‑controlled arguments; the scan reports the file as safe, but pickle.load() triggers execution.

PoC

class PoC:
    def __reduce__(self):
        from numpy.f2py.crackfortran import _eval_length
        return _eval_length, ("__import__('os').system('whoami')", None)

Impact

  • Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
  • Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
  • Enables supply‑chain poisoning of shared model files.

Credits

github.com

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p

github.com

https://github.com/mmaitre314/picklescan/pull/53

github.com

https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab

github.com

https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33

github.com

https://github.com/advisories/GHSA-6556-fwc2-fg2p

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-71339
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-71339",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-06-22T21:04:41.267Z",
    "dateReserved": "2026-06-20T01:48:36.756Z",
    "datePublished": "2026-06-22T21:04:41.267Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-06-22T21:04:41.267Z"
      },
      "datePublic": "2025-12-27T00:00:00.000Z",
      "title": "Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran._eval_length Gadget",
      "descriptions": [
        {
          "lang": "en",
          "value": "Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation."
        }
      ],
      "affected": [
        {
          "vendor": "Picklescan",
          "product": "Picklescan",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "0.0.33"
            },
            {
              "version": "0.0.33",
              "status": "unaffected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Deserialization of Untrusted Data",
              "cweId": "CWE-502",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-6556-fwc2-fg2p",
          "name": "GitHub Security Advisory (GHSA-6556-fwc2-fg2p)",
          "tags": [
            "vendor-advisory"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-numpy-f2py-crackfortran-eval-length-gadget",
          "name": "VulnCheck Advisory: Picklescan - Arbitrary Code Execution via numpy.f2py.crackfortran._eval_length Gadget",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "REQUIRED",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ac0d3r",
          "type": "reporter"
        },
        {
          "lang": "en",
          "value": "Lyutoon",
          "type": "reporter"
        }
      ]
    }
  }
}