Security researchers at JFrog uncovered three critical zero-day flaws in PickleScan, a key tool for detecting malware in Python pickle-based machine learning models, such as those in PyTorch.
These issues let attackers slip past scans and run harmful code when users load tainted models from sites such as Hugging Face.
PyTorch relies on pickle for model storage by default, which can execute any Python code during loading, creating a significant risk for arbitrary code execution.
PickleScan checks model files by parsing bytecode, matching against blocked operations, and handling formats like ZIP archives.
Yet gaps in its logic allow evasion. For instance, PyTorch bypasses checks that would have caused PickleScan to crash, enabling supply-chain attacks on AI repositories.
Organizations using PickleScan for model vetting face widespread exposure, as Hugging Face integrates it for millions of uploads.
All flaws have a CVSS score of 9.3 and affect versions up to 0.0.30.
The first flaw, CVE-2025-10155, stems from faulty file type checks in the scanner’s code.
Attackers rename a standard pickle file to a PyTorch extension, such as .bin, fooling PickleScan if it fails to parse PyTorch.
At the same time, PyTorch loads it based on its content. This skips a complete analysis of malicious payloads.
CVE-2025-10156 exploits ZIP handling errors. By corrupting Cyclic Redundancy Check (CRC) values in archive headers, scanning halts on exceptions from Python’s zipfile module.
PyTorch skips these CRC checks via build flags, loading the model anyway. Attackers craft such archives to hide pickle exploits undetected.
CVE-2025-10157 bypasses the unsafe globals blocklist.
PickleScan matches exact module names, but subclasses like asyncio.unix_events evade complete flagging, marked only as “suspicious” instead of “dangerous.”
This permits code execution via subprocess creation during deserialization.
| CVE ID | CVSS Score | Description | Affected Versions | Fixed In |
|---|---|---|---|---|
| CVE-2025-10155 | 9.3 | File extension bypass in scanning logic | ≤0.0.30 | 0.0.31 |
| CVE-2025-10156 | 9.3 | CRC error crash in ZIP archive scanning | ≤0.0.30 | 0.0.31 |
| CVE-2025-10157 | 9.3 | Unsafe globals evasion via submodule imports | ≤0.0.30 | 0.0.31 |
Update to PickleScan 0.0.31 immediately, as maintainers patched all issues post-disclosure on June 29, 2025, with fixes released September 2.
Shift to safe formats like Safetensors to avoid pickle risks entirely layer defenses with sandboxes, model proxies like JFrog Artifactory, and auto-removal of scan failures.
These flaws expose AI security’s fragility, where scanner mismatches with loaders create blind spots.
Widespread PickleScan use amplifies supply chain threats across ML platforms.
Teams should audit pipelines and monitor for exploits, prioritizing blocklists backed by active research.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…