CVE-2025-1716: 
Python vulnerability analysis and mitigation

CVE-2025-1716 affects picklescan versions before 0.0.21, where the software fails to treat 'pip' as an unsafe global. The vulnerability was discovered in early 2025 and disclosed by Sonatype. The issue allows attackers to bypass security scanning mechanisms by crafting malicious models that use Pickle to pull in malicious PyPI packages via pip.main() (Sonatype Blog, NVD).

The vulnerability stems from an unsafe deserialization process in Python's pickle module that allows execution of arbitrary functions via the reduce method. While picklescan is designed to detect such exploits, this attack evades detection by leveraging pip.main() as a callable function. The vulnerability has a CVSS v4.0 base score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The weakness is categorized as CWE-184: Incomplete List of Disallowed Inputs (GitHub Advisory, Sonatype CVE).

The vulnerability has several significant impacts: it enables bypassing of picklescan security tools as pip.main() calls may not be flagged as dangerous, allows for Remote Code Execution (RCE) on any system that deserializes a malicious pickle, and facilitates supply chain attacks through the distribution of infected pickle files across ML models, APIs, or saved Python objects (Sonatype CVE).

The vulnerability has been patched in picklescan version 0.0.21 and later by adding 'pip' to the list of unsafe globals. Users are recommended to upgrade to version 0.0.22 or higher, which incorporates additional restricted globals for enhanced security (Sonatype CVE, GitHub Commit).