Cyber Posture

CVE-2025-1716

CriticalPublic PoC

Published: 26 February 2025

Published
26 February 2025
Modified
29 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1625 94.8th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

Security Summary

CVE-2025-1716 is a vulnerability in picklescan versions before 0.0.21, a tool for scanning Python pickle files for security risks. The issue stems from picklescan not treating the 'pip' module as an unsafe global. This allows malicious pickle files to invoke pip.main() to download and install harmful PyPI packages, such as those hosted on pypi.org or GitHub, without detection during scans. The vulnerability carries a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-184.

Attackers can exploit this remotely with no privileges or user interaction required. By crafting a pickle file that uses pip to pull in malicious packages, an attacker can bypass picklescan's security checks, causing the file to appear safe. Security practitioners relying on picklescan might then unpickle the file, leading to arbitrary code execution, package installation, and potential full system compromise with high impacts on confidentiality, integrity, and availability.

Mitigation involves upgrading to picklescan 0.0.21 or later, which addresses the issue by restricting 'pip' as an unsafe global. Key resources include the fixing GitHub commit at https://github.com/mmaitre314/picklescan/commit/78ce704227c51f070c0c5fb4b466d92c62a7aa3d, the GitHub security advisory at https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v, and the Sonatype advisory at https://www.sonatype.com/security-advisories/cve-2025-1716.

Details

CWE(s)
CWE-184

Affected Products

mmaitre314
picklescan
≤ 0.0.22

AI Security Analysis

AI Category
Machine Learning Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
The vulnerability affects picklescan, a security scanning tool specifically designed for Python pickle files commonly used in machine learning libraries (e.g., scikit-learn, joblib) to serialize and deserialize ML models. The exploit targets malicious models that bypass scanning, directly impacting ML model supply chain security.

MITRE ATT&CK Enterprise Techniques

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
attack.mitre.org →
Why these techniques?

Vulnerability in picklescan enables evasion of static analysis (T1211), exploitation for client-side code execution via unsafe pickle deserialization (T1203), Python interpreter abuse to invoke pip.main (T1059.006), and ingress of malicious packages from PyPI/GitHub (T1105).

References