CVE-2025-71361

EUVD-2025-210328
picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().
Eval Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Common Weakness Enumeration
References
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-8r4j-24qv-fmq9
https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-idlelib-calltip-calltip-fetch-tip
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-8r4j-24qv-fmq9