CVE-2025-71325 PUBLISHED

picklescan - Detection Bypass via STACK_GLOBAL Opcode Parsing Logic Flaw

Assigner: VulnCheck
Reserved: 08.06.2026 Published: 17.06.2026 Updated: 17.06.2026

picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigger unexpected exceptions and evade security scanning.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor picklescan
Product picklescan
Versions Default: unaffected
  • affected from 0 to 0.0.27 (excl.)
  • Version 0.0.27 is unaffected

Credits

  • Lyutoon reporter

References

Problem Types

  • Unchecked Error Condition CWE