ГлавнаяУязвимости → CVE-2025-71320
9.8критическая

CVE-2025-71320

Описание

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.

CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5qhttps://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-incomplete-disallowed-inputshttps://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q