CVE-2025-1716
Published: 26 February 2025
Summary
CVE-2025-1716 is a medium-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Mmaitre314 Picklescan. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
picklescan versions prior to 0.0.21 contain a flaw in which the scanner does not classify the 'pip' module as an unsafe global when inspecting pickled Python objects. The affected component is the picklescan library itself, which is used to detect dangerous constructs in serialized machine-learning models before they are loaded.
An attacker can therefore craft a malicious pickled model that invokes pip.main() to fetch and install an arbitrary package from PyPI or a GitHub-hosted repository. Because the call is not flagged, the model passes the scan and can later execute the attacker-supplied package when deserialized, achieving unauthorized code execution or environment tampering with no user interaction beyond loading the model.
The GitHub advisory GHSA-655q-fx9r-782v and the referenced commit 78ce704227c51f070c0c5fb4b466d92c62a7aa3d correct the issue by adding 'pip' to the set of restricted globals; Sonatype has mirrored the same remediation guidance for CVE-2025-1716.
The associated EPSS score has remained flat at 0.1625 since disclosure, indicating no measurable rise in observed exploitation interest, though the vulnerability is directly relevant to machine-learning pipelines that depend on pickle-based model serialization.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5323
Vulnerability details
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is…
more
not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in picklescan enables evasion of static analysis (T1211), exploitation for client-side code execution via unsafe pickle deserialization (T1203), Python interpreter abuse to invoke pip.main (T1059.006), and ingress of malicious packages from PyPI/GitHub (T1105).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation ensures timely upgrading of picklescan to version 0.0.21 or later, directly addressing the failure to restrict 'pip' as an unsafe global.
Malicious code protection scans for threats like those in pickle files that bypass picklescan and invoke pip to install harmful PyPI packages.
Vulnerability monitoring and scanning identifies the CVE-2025-1716 flaw in picklescan versions before 0.0.21 for remediation.