CVE-2025-1944

Name of the Vulnerable Software and Affected Versions PickleScan versions prior to 0.0.23

Description The issue allows for a ZIP archive manipulation attack, causing PickleScan to crash when extracting and scanning PyTorch model archives. An attacker can modify the filename in the ZIP header, while keeping the original filename in the directory listing, to make PickleScan raise a BadZipFile error. However, PyTorch's ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

Recommendations For versions prior to 0.0.23, update to version 0.0.23 or later to resolve the issue. As a temporary workaround, consider restricting the use of PickleScan to scan PyTorch model archives until a patch is available. Avoid using PickleScan to extract and scan ZIP archives that may contain malicious payloads.