Dec 03, 2025Ravie LakshmananMachine Studying / Vulnerability
Three essential safety flaws have been disclosed in an open-source utility known as Picklescan that might enable malicious actors to execute arbitrary code by loading untrusted PyTorch fashions, successfully bypassing the device’s protections.
Picklescan, developed and maintained by Matthieu Maitre (@mmaitre314), is a safety scanner that is designed to parse Python pickle recordsdata and detect suspicious imports or operate calls, earlier than they’re executed. Pickle is a extensively used serialization format in machine studying, together with PyTorch, which makes use of the format to save lots of and cargo fashions.
However pickle recordsdata may also be an enormous safety threat, as they can be utilized to robotically set off the execution of arbitrary Python code when they’re loaded. This necessitates that customers and organizations load trusted fashions, or load mannequin weights from TensorFlow and Flax.
The problems found by JFrog primarily make it attainable to bypass the scanner, current the scanned mannequin recordsdata as protected, and allow malicious code to be executed, which may then pave the way in which for a provide chain assault.
“Every found vulnerability allows attackers to evade PickleScan’s malware detection and doubtlessly execute a large-scale provide chain assault by distributing malicious ML fashions that conceal undetectable malicious code,” safety researcher David Cohen mentioned.
Picklescan, at its core, works by analyzing the pickle recordsdata at bytecode degree and checking the outcomes towards a blocklist of recognized hazardous imports and operations to flag comparable conduct. This method, versus allowlisting, additionally implies that it prevents the instruments from detecting any new assault vector and requires the builders to have in mind all attainable malicious behaviors.
The recognized flaws are as follows –
CVE-2025-10155 (CVSS rating: 9.3/7.8) – A file extension bypass vulnerability that can be utilized to undermine the scanner and cargo the mannequin when offering a typical pickle file with a PyTorch-related extension comparable to .bin or .pt
CVE-2025-10156 (CVSS rating: 9.3/7.5) – A bypass vulnerability that can be utilized to disable ZIP archive scanning by introducing a Cyclic Redundancy Test (CRC) error
CVE-2025-10157 (CVSS rating: 9.3/8.3) – A bypass vulnerability that can be utilized to undermine Picklescan’s unsafe globals verify, resulting in arbitrary code execution by getting round a blocklist of harmful imports
Profitable exploitation of the aforementioned flaws may enable attackers to hide malicious pickle payloads inside recordsdata utilizing frequent PyTorch extensions, intentionally introduce CRC errors into ZIP archives containing malicious fashions, or craft malicious PyTorch fashions with embedded pickle payloads to bypass the scanner.
Following accountable disclosure on June 29, 2025, the three vulnerabilities have been addressed in Picklescan model 0.0.31 launched on September 9.
The findings illustrate some key systemic points, together with the reliance on a single scanning device, discrepancies in file-handling conduct between safety instruments and PyTorch, thereby rendering safety architectures weak to assaults.
“AI libraries like PyTorch develop extra complicated by the day, introducing new options, mannequin codecs, and execution pathways quicker than safety scanning instruments can adapt,” Cohen mentioned. “This widening hole between innovation and safety leaves organizations uncovered to rising threats that typical instruments merely weren’t designed to anticipate.”
“Closing this hole requires a research-backed safety proxy for AI fashions, constantly knowledgeable by specialists who suppose like each attackers and defenders. By actively analyzing new fashions, monitoring library updates, and uncovering novel exploitation methods, this method delivers adaptive, intelligence-driven safety towards the vulnerabilities that matter most.”
