CVE-2025-71354

Sažetak

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

Reference

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3vg9-h568-4w9m
https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-idlelib-debugobj-objecttreeitem-settext
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3vg9-h568-4w9m

CVSS

Base:	8.1
Impact:	5.2
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Zadnje važnije ažuriranje

25-06-2026 - 14:25

Objavljeno

24-06-2026 - 13:16