CVE-2025-71355
CWE-184Published: June 30, 2026· Updated: Jul 1, 2026
Official Description
Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and execute arbitrary code during deserialization. Attackers can craft malicious pickle files using numpy.testing._private.utils.runstring within the reduce method to import dangerous libraries like os and execute arbitrary OS commands when the pickle file is loaded.
Technical Analysis
CVE-2025-71355 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (P) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-184)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-71355 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts