Full Report
Three critical security flaws have been disclosed in an open-source utility called Picklescan that could allow malicious actors to execute arbitrary code by loading untrusted PyTorch models, effectively bypassing the tool's protections. Picklescan, developed and maintained by Matthieu Maitre (@mmaitre314), is a security scanner that's designed to parse Python pickle files and detect suspicious
Analysis Summary
# Vulnerability: Picklescan Bypass Flaws Leading to Arbitrary Code Execution via PyTorch Models
## CVE Details
- CVE ID: CVE-2025-10155, CVE-2025-10156, CVE-2025-10157
- CVSS Score:
- CVE-2025-10155: 9.3 (Critical)
- CVE-2025-10156: 9.3 (Critical)
- CVE-2025-10157: 9.3 (Critical)
- CWE: Specific CWE not detailed in the summary, but related to improper input validation allowing deserialization/code execution.
## Affected Systems
- Products: Picklescan (open-source utility for scanning Python pickle files, including those used by PyTorch).
- Versions: Versions prior to 0.0.31.
- Configurations: Any configuration where Picklescan is used to parse untrusted PyTorch model pickle files.
## Vulnerability Description
Three critical flaws were discovered in Picklescan that allow attackers to bypass its malware detection mechanisms and execute arbitrary code contained within untrusted PyTorch model files (`.bin` or `.pt`). Picklescan analyzes pickle bytecode against a blocklist.
1. **CVE-2025-10155 (File Extension Bypass):** Allows bypassing the scanner by loading a standard pickle file using PyTorch-related extensions like `.bin` or `.pt`.
2. **CVE-2025-10156 (ZIP Archive Bypass):** Allows disabling ZIP archive scanning by deliberately introducing a Cyclic Redundancy Check (CRC) error into the archive structure.
3. **CVE-2025-10157 (Unsafe Globals Bypass):** Allows bypassing the check for unsafe globals by crafting malicious PyTorch models with embedded pickle payloads that circumvent the blocklist of dangerous imports/operations, leading directly to arbitrary code execution.
## Exploitation
- Status: PoC available (Implied by the disclosure of bypass methods, though 'PoC available' is explicitly noted for the details).
- Complexity: Low (The flaws allow for direct bypass when loading models with specific file constructs or formats).
- Attack Vector: Local/File-based acquisition leading to execution upon scanning/loading.
## Impact
- Confidentiality: High (Arbitrary code execution can lead to data exfiltration).
- Integrity: High (Arbitrary code execution can lead to system compromise and modification).
- Availability: High (Arbitrary code execution can lead to system disruption).
## Remediation
### Patches
- **Picklescan version 0.0.31** (Released September 9).
### Workarounds
- **Load only trusted models:** Ensure model weights are only loaded from verified, trusted sources.
- **Use alternative serialization formats:** Load model weights from formats other than Python pickle, such as those used by TensorFlow or Flax, where possible.
- **Avoid reliance on a single tool:** Do not rely solely on Picklescan for defense, as systemic differences in file handling behavior between security tools and ML libraries can create gaps.
## Detection
- **Indicators of Compromise (IoCs):** Detection requires forensic analysis of file header structures (for the ZIP/CRC bypass) or monitoring for unexpected high-risk imports/function calls within the environment where Picklescan processes the files.
- **Detection Methods and Tools:** Because these are bypasses, standard static scanning might fail. Integrity monitoring of the environment where models are loaded and executed is crucial to catch the resulting arbitrary code execution.
## References
- Vendor Advisories: GitHub Security Advisories linked within the CVE identifiers (e.g., GHSA-jgw4-cr84-mqxg).
- Relevant links:
- [github dot com/mmaitre314/picklescan]
- [github dot com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg]
- [github dot com/mmaitre314/picklescan/security/advisories/GHSA-mjqp-26hc-grxg]
- [github dot com/mmaitre314/picklescan/security/advisories/GHSA-f7qq-56ww-84cr]
- [github dot com/mmaitre314/picklescan/releases/tag/v0.0.31]