Three serious security flaws have been revealed in an open source utility called Picklescan. This flaw could allow a malicious attacker to load an untrusted PyTorch model and execute arbitrary code, effectively bypassing the tool’s protections.
Picklescan, developed and maintained by Matthieu Maitre (@mmaitre314), is a security scanner designed to parse Python pickle files and detect suspicious imports and function calls before they are executed. Pickle is a serialization format widely used in machine learning, including PyTorch, which uses this format to save and load models.
However, pickle files can be a major security risk because they can be used to automatically trigger the execution of arbitrary Python code when loaded. This requires users and organizations to load trusted models or load model weights from TensorFlow and Flax.
The issue discovered by JFrog essentially bypasses the scanner and marks scanned model files as safe, allowing malicious code to run and potentially paving the way for supply chain attacks.
“Each of the vulnerabilities discovered could allow attackers to evade PickleScan’s malware detection and conduct large-scale supply chain attacks by distributing malicious ML models that hide undetectable malicious code,” said security researcher David Cohen.
At its core, Picklescan works by inspecting pickle files at the bytecode level and matching the results against a blocklist of known dangerous imports and operations to flag similar behavior. This approach, as opposed to allowlisting, prevents tools from detecting new attack vectors and also means that developers must consider all possible malicious behavior.
The defects identified are:
CVE-2025-10155 (CVSS Score: 9.3/7.8) – File extension bypass vulnerability used to weaken scanners and load models when serving standard pickle files with PyTorch-related extensions such as .bin or .pt CVE-2025-10156 (CVSS Score: 9.3/7.5) – Bypass vulnerability that can be used to disable ZIP archive scanning by introducing Cyclic Redundancy Check (CRC) error CVE-2025-10157 (CVSS score: 9.3/8.3) – A bypass vulnerability that can be used to weaken Picklescan’s insecure global checks. Arbitrary code can be executed by bypassing the blocklist of dangerous imports.
Successful exploitation of the aforementioned flaws could allow an attacker to hide malicious pickle payloads within files using common PyTorch extensions, intentionally introduce CRC errors to ZIP archives containing malicious models, or create malicious PyTorch models with embedded pickle payloads to bypass scanners.
Following responsible disclosure on June 29, 2025, the three vulnerabilities were addressed in Picklescan version 0.0.31, released on September 9.
This development comes as SecDim and DCODX detail another high-severity security flaw (CVE-2025-46417, CVSS score: 7.5/7.1) in the same utility. This flaw could be exploited by a malicious pickle file to bypass the tool’s blocklist and leak sensitive information via DNS when loading a model.
In a hypothetical attack scenario, an attacker could reuse legitimate Python modules such as linecache and ssl to read sensitive data from files such as ‘/etc/passwd’ using ‘linecache.getline()’ and send that data to a domain under their control using ‘ssl.get_server_certificate()’.
“The leaked content is recorded in the DNS logs. When we scan this payload with Picklescan 0.0.24, it returns ‘No issues found’ because line cache and SSL were not on the deny list,” SecDim said.
The findings point to several important systemic issues, including dependence on a single scanning tool and differences in file handling behavior between security tools and PyTorch, making the security architecture vulnerable to attacks.
“AI libraries like PyTorch are becoming more complex by the day, with new features, model formats, and execution paths being introduced faster than security scanning tools can adapt,” Cohen said. “The growing gap between innovation and protection exposes organizations to new threats that traditional tools cannot predict.”
“Bridging this gap requires a research-backed, AI-modeled security proxy continuously informed by experts who think like both attackers and defenders. By proactively analyzing new models, tracking library updates, and uncovering new exploitation techniques, this approach delivers adaptive, intelligence-driven protection against the most important vulnerabilities.”
Source link
