CVE-2025-71351

UNKNOWN 0.0

picklescan - Remote Code Execution via timeit.timeit() Detection Bypass

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.

CWE	CWE-184
Vendor	picklescan
Product	picklescan
Published	Jun 21, 2026

Stay Ahead of the Next One

Get instant alerts for picklescan picklescan

Be the first to know when new unknown vulnerabilities affecting picklescan picklescan are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

picklescan / picklescan

0 < 0.0.25

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwc vulncheck.com: https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-timeit-timeit-detection-bypass

Credits

🔍 SeaW1nd