Three important security flaws have been disclosed in an open-source utility referred to as Picklescan that might permit malicious actors to execute arbitrary code by loading untrusted PyTorch fashions, successfully bypassing the software’s protections.
Picklescan, developed and maintained by Matthieu Maitre (@mmaitre314), is a security scanner that is designed to parse Python pickle recordsdata and detect suspicious imports or perform calls, earlier than they’re executed. Pickle is a extensively used serialization format in machine studying, together with PyTorch, which makes use of the format to avoid wasting and cargo fashions.
However pickle recordsdata will also be an enormous security threat, as they can be utilized to robotically set off the execution of arbitrary Python code when they’re loaded. This necessitates that customers and organizations load trusted fashions, or load mannequin weights from TensorFlow and Flax.
The problems found by JFrog primarily make it doable to bypass the scanner, current the scanned mannequin recordsdata as secure, and allow malicious code to be executed, which might then pave the best way for a provide chain assault.
“Every found vulnerability allows attackers to evade PickleScan’s malware detection and probably execute a large-scale provide chain assault by distributing malicious ML fashions that conceal undetectable malicious code,” security researcher David Cohen stated.
Picklescan, at its core, works by inspecting the pickle recordsdata at bytecode degree and checking the outcomes in opposition to a blocklist of recognized hazardous imports and operations to flag comparable conduct. This strategy, versus allowlisting, additionally signifies that it prevents the instruments from detecting any new assault vector and requires the builders to take note of all doable malicious behaviors.
The recognized flaws are as follows –
- CVE-2025-10155 (CVSS rating: 9.3/7.8) – A file extension bypass vulnerability that can be utilized to undermine the scanner and cargo the mannequin when offering an ordinary pickle file with a PyTorch-related extension similar to .bin or .pt
- CVE-2025-10156 (CVSS rating: 9.3/7.5) – A bypass vulnerability that can be utilized to disable ZIP archive scanning by introducing a Cyclic Redundancy Test (CRC) error
- CVE-2025-10157 (CVSS rating: 9.3/8.3) – A bypass vulnerability that can be utilized to undermine Picklescan’s unsafe globals test, resulting in arbitrary code execution by getting round a blocklist of harmful imports
Profitable exploitation of the aforementioned flaws might permit attackers to hide malicious pickle payloads inside recordsdata utilizing widespread PyTorch extensions, intentionally introduce CRC errors into ZIP archives containing malicious fashions, or craft malicious PyTorch fashions with embedded pickle payloads to bypass the scanner.
Following accountable disclosure on June 29, 2025, the three vulnerabilities have been addressed in Picklescan model 0.0.31 launched on September 9.
The findings illustrate some key systemic points, together with the reliance on a single scanning software, discrepancies in file-handling conduct between security instruments and PyTorch, thereby rendering security architectures susceptible to assaults.
“AI libraries like PyTorch develop extra complicated by the day, introducing new options, mannequin codecs, and execution pathways quicker than security scanning instruments can adapt,” Cohen stated. “This widening hole between innovation and safety leaves organizations uncovered to rising threats that standard instruments merely weren’t designed to anticipate.”
“Closing this hole requires a research-backed security proxy for AI fashions, repeatedly knowledgeable by specialists who assume like each attackers and defenders. By actively analyzing new fashions, monitoring library updates, and uncovering novel exploitation methods, this strategy delivers adaptive, intelligence-driven safety in opposition to the vulnerabilities that matter most.”
