VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 21, 2026

picklescan - Arbitrary Code Execution via torch.utils._config_module.load_config Bypass

CVE-2025-71348

Description

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply chain attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"picklescan before 0.0.28 does not flag torch.utils._config_module.load_config as a dangerous function, allowing malicious pickle files that invoke it to evade detection."

Attack vector

An attacker crafts a pickle file whose `__reduce__` method calls `torch.utils._config_module.load_config`, which in turn executes arbitrary code (e.g., `os.system('whoami')`). The victim runs picklescan on the file, which does not detect the dangerous function, and then calls `pickle.load()`, triggering remote code execution. This enables supply chain attacks where infected pickle files are distributed as ML models or saved Python objects [ref_id=1].

Affected code

The vulnerability is a missing detection in picklescan (before 0.0.28) for pickle files that invoke `torch.utils._config_module.load_config` within `__reduce__` methods. The scanner fails to flag this PyTorch library function as dangerous, allowing malicious pickle files to pass inspection.

What the fix does

The patch (picklescan 0.0.28) adds `torch.utils._config_module.load_config` to the list of dangerous functions that picklescan flags during scanning. This ensures that any pickle file attempting to invoke this function via `__reduce__` is detected as malicious before the victim calls `pickle.load()`, closing the bypass.

Preconditions

  • configThe victim must use picklescan before version 0.0.28 to scan the pickle file.
  • inputThe victim must call pickle.load() on the attacker-supplied pickle file after it passes the scan.
  • inputThe attacker must craft a pickle file that uses torch.utils._config_module.load_config in its __reduce__ method.

Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.