CVE-2025-71321

EUVD-2025-210268
picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4
https://www.vulncheck.com/advisories/picklescan-arbitrary-file-writing-via-distutils-module-bypass
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m273-6v24-x4m4