CVE-2025-1945

Name of the Vulnerable Software and Affected Versions PickleScan versions prior to 0.0.23

Description The issue allows an attacker to embed malicious pickle files inside PyTorch model archives by modifying specific ZIP file flag bits. This can lead to arbitrary code execution when loading a compromised model, as the malicious files remain undetected by PickleScan but are successfully loaded by PyTorch's torch.load() function.

Recommendations For PickleScan versions prior to 0.0.23, update to version 0.0.23 or later to resolve the issue. As a temporary workaround, consider manually inspecting ZIP file headers for modified flag bits before loading PyTorch models. Restrict access to potentially compromised models to minimize the risk of exploitation.