CVE-2025-71320
picklescan - Remote Code Execution via Incomplete Disallowed Inputs
picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
picklescan · picklescan¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →