What is the CVSS score of CVE-2025-1945?

CVE-2025-1945 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of AI / ML are affected by CVE-2025-1945?

CVE-2025-1945 presents critical security risk rated CVSS 9.8. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.. A patch is available.

Is there a public PoC exploit available for CVE-2025-1945?

Yes, a public proof-of-concept exploit is available for CVE-2025-1945. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2025-1945?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

AI / ML CVE-2025-1945

CRITICAL

Insufficient Verification of Data Authenticity (CWE-345)

2025-03-10 103e4ec9-0a87-450b-af77-479448ddef11

GHSA-w8jq-xcqf-f792

Authentication Bypass RCE Deserialization AI / ML Pytorch

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 19:50 vuln.today

PoC Detected

Dec 29, 2025 - 15:16 vuln.today

Public exploit code

Patch released

Dec 29, 2025 - 15:16 nvd

Patch available

CVE Published

Mar 10, 2025 - 12:15 nvd

CRITICAL 9.8

DescriptionNVD

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

AnalysisAI

PickleScan before 0.0.23 can be bypassed by flipping specific ZIP file header flag bits, allowing malicious pickle files to evade detection inside PyTorch model archives. An attacker can embed arbitrary code execution payloads that PickleScan misses but PyTorch's torch.load() still processes. A proof-of-concept exists and a patch is available in version 0.0.23.

Technical ContextAI

The vulnerability exploits a discrepancy between how PickleScan parses ZIP archives and how PyTorch extracts them. By toggling specific bits in ZIP local file headers, an attacker crafts archives where malicious .pkl files are invisible to the scanner but fully functional when loaded by torch.load(). This is a classic parser differential vulnerability (CWE-345).

Affected ProductsAI

PickleScan < 0.0.23, any system using PickleScan for PyTorch model validation

RemediationAI

Upgrade PickleScan to 0.0.23 or later. Consider using torch.load() with weights_only=True where possible. Audit existing model archives in your pipelines.

CVE-2025-1945 vulnerability details – vuln.today

Back

AI / ML CVE-2025-1945

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code