CVE-2025-71361

Description

picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().

PUBLISHED Reserved 2026-06-20 | Published 2026-06-24 | Updated 2026-06-24 | Assigner VulnCheck

Problem types

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Product status

Credits

FredericDT reporter

References

github.com/...lescan/security/advisories/GHSA-8r4j-24qv-fmq9 exploit

github.com/...lescan/security/advisories/GHSA-8r4j-24qv-fmq9 (GitHub Security Advisory (GHSA-8r4j-24qv-fmq9)) vendor-advisory

www.vulncheck.com/...ected-idlelib-calltip-calltip-fetch-tip (VulnCheck Advisory: picklescan - Remote Code Execution via Undetected idlelib.calltip.Calltip.fetch_tip) third-party-advisory

cve.org (CVE-2025-71361)

nvd.nist.gov (CVE-2025-71361)

Download JSON