CVE-2025-1945
CRITICAL
GHSA-w8jq-xcqf-f792
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.
Analysis
PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.
Technical Context
The vulnerability exploits a discrepancy between how PickleScan parses ZIP archives and how PyTorch extracts them. By toggling specific bits in ZIP local file headers, an attacker crafts archives where malicious .pkl files are invisible to the scanner but fully functional when loaded by torch.load(). This is a classic parser differential vulnerability (CWE-345).
Affected Products
PickleScan < 0.0.23, any system using PickleScan for PyTorch model validation
Remediation
Upgrade PickleScan to 0.0.23 or later. Consider using torch.load() with weights_only=True where possible. Audit existing model archives in your pipelines.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today