- Three critical vulnerabilities were found in Picklescan, an open-source tool designed to scan Python pickle files for unsafe content.
- These flaws allow attackers to bypass security checks and execute arbitrary code via malicious PyTorch models.
- The issues include bypassing file extension checks, disabling ZIP archive scanning, and evading dangerous import detection.
- The vulnerabilities have been fixed in Picklescan version 0.0.31, released in September 2025.
- The findings highlight challenges in securing AI libraries like PyTorch that rapidly evolve beyond existing scanner capabilities.
In December 2025, three significant security vulnerabilities were disclosed in Picklescan, a security scanner tool that analyzes Python pickle files to detect unsafe imports or function calls before execution. These flaws enable malicious actors to circumvent the tool’s protections and run arbitrary code by loading untrusted PyTorch models.
Picklescan, developed by Matthieu Maitre (@mmaitre314), targets the pickle serialization format widely used in machine learning frameworks like PyTorch for saving and loading models. Pickle files can inherently execute code upon deserialization, posing a risk if models from untrusted sources are loaded.
The vulnerabilities discovered by security researcher David Cohen and the JFrog team allow malicious pickle payloads to bypass Picklescan‘s detection mechanisms, potentially facilitating large-scale supply chain attacks by distributing compromised machine learning models.
Picklescan works by inspecting pickle files at the bytecode level and blocking a list of known dangerous imports and operations. This blocklist approach, however, requires constant updates to capture new threats. The flaws found include:
– CVE-2025-10155: A file extension bypass that tricks Picklescan into accepting malicious payloads in files with common PyTorch extensions like .bin or .pt (CVSS score 9.3/7.8).
– CVE-2025-10156: A ZIP archive scanning bypass that uses a Cyclic Redundancy Check (CRC) error to disable detection (CVSS score 9.3/7.5).
– CVE-2025-10157: A bypass that undermines the check for unsafe global variables, circumventing the blocklist to enable code execution (CVSS score 9.3/8.3).
Exploitation of these vulnerabilities allows attackers to conceal harmful pickle payloads in PyTorch model files, introduce CRC errors in ZIP archives, or embed malicious code that avoids detection.
After responsible disclosure on June 29, 2025, these security gaps were addressed in Picklescan version 0.0.31, released on September 9, 2025. The findings highlight the difficulty in securing AI ecosystems, particularly as frameworks like PyTorch rapidly evolve with new features and file formats faster than scanning tools can adapt.
“AI libraries like PyTorch grow more complex by the day, introducing new features, model formats, and execution pathways faster than security scanning tools can adapt,” said David Cohen, noting that the growing gap leaves systems exposed to advanced threats. He added that closing this gap requires proactive, intelligence-driven security solutions that evolve alongside AI technologies.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Greenfield Study Shows DeFi Valuations Driven by Key Fundamentals
- Binance Co-Founder Yi He Named Co-CEO Alongside Richard Teng
- XRP Price Fluctuates Near $2; Experts Split on Buy, Hold, Sell
- Bitcoin Surges Above $92K, Analysts Eye $100K Milestone Soon
- Bitcoin surges past $92K as Vanguard opens crypto ETFs door
