PT-2025-9534 · Unknown · Picklescan

Madgetr

Published

2025-02-26

Updated

2025-03-06

CVE-2025-1889

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions picklescan versions prior to 0.0.22

Description The issue arises because picklescan only considers standard pickle file extensions during its vulnerability scan. An attacker can craft a malicious model that uses Pickle and includes a malicious pickle file with a non-standard file extension. Since the malicious pickle file inclusion is not considered part of the scope of picklescan, the file would pass security checks and appear safe, when it could instead prove problematic. This vulnerability can lead to arbitrary code execution when a model is loaded, potentially allowing supply-chain attacks by embedding malicious code in PyTorch models that remains undetected but executes when the model is loaded.

Recommendations

For versions prior to 0.0.22, scan all files in the ZIP archive instead of relying on file extensions.
For versions prior to 0.0.22, detect hidden pickle references by performing static analysis to identify torch.load(pickle file=...) calls inside data.pkl.
For versions prior to 0.0.22, implement magic byte detection to inspect file contents for pickle magic bytes (x80x05) instead of relying on extensions.
For versions prior to 0.0.22, block the following globals: torch.load and functools.partial.

Exploit

Fix

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-807CWE-184CWE-646

Related Identifiers

BDU:2025-15447

CVE-2025-1889

GHSA-655Q-FX9R-782V

GHSA-769V-P64C-89PR

GHSA-HW34-RQC5-H2GM

PYSEC-2025-18

PYSEC-2025-19

Affected Products

Picklescan

PT-2025-9534 · Unknown · Picklescan

CVE-2025-1889

Weakness Enumeration

Related Identifiers

Affected Products

References · 23