CVE-2025-10155 in picklescan
Summary
by MITRE • 09/17/2025
An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
The vulnerability CVE-2025-10155 represents a critical improper input validation flaw within the mmaitre314 picklescan tool version 0.0.30 and earlier. This security weakness resides in the scanning logic that processes pickle files, creating a dangerous condition where legitimate pickle files can be incorrectly deemed safe when they contain malicious payloads. The vulnerability specifically exploits the tool's failure to properly validate file extensions and content relationships, allowing attackers to craft deceptive pickle files that appear to be PyTorch-related but contain harmful code.
The technical implementation of this vulnerability stems from the tool's reliance on file extension matching as a primary validation mechanism rather than implementing robust content analysis. When picklescan encounters a file with a PyTorch-related extension such as .pt or .pth, it assumes the file is safe based solely on the extension without performing proper content verification. This approach violates fundamental security principles of defense in depth and proper input sanitization. The flaw enables attackers to bypass security controls by simply renaming malicious pickle files to have PyTorch-related extensions, effectively tricking the scanner into accepting potentially harmful code.
From an operational perspective, this vulnerability creates significant risk for organizations relying on picklescan for security validation of pickle files. Attackers can exploit this weakness to deploy malicious code within seemingly legitimate PyTorch model files, potentially leading to remote code execution on systems that load these files. The impact extends beyond immediate code execution as it undermines the integrity of the entire security scanning process, creating a false sense of security that could delay detection of actual threats. This vulnerability particularly affects machine learning environments where pickle files are commonly used for model serialization and can be executed in production systems.
The security implications of CVE-2025-10155 align with CWE-20 Improper Input Validation, which addresses weaknesses in input validation mechanisms that allow malicious data to pass through security controls. This vulnerability also maps to ATT&CK technique T1059.007 Command and Scripting Interpreter: Python, as it enables attackers to execute malicious Python code through pickle deserialization. Organizations using picklescan for security scanning should immediately update to versions that properly validate both file content and extensions, implement additional verification layers beyond simple extension matching, and consider network segmentation to limit potential impact. The remediation strategy should include comprehensive code review of input validation logic, implementation of proper content analysis, and regular security testing of scanning tools to prevent similar vulnerabilities in the future.