AI Supply Chains at Risk from Critical PickleScan Flaws
▼ Summary
– Three critical zero-day vulnerabilities (CVSS 9.3) were discovered in the PickleScan tool, allowing attackers to bypass its scanning of Python pickle files and PyTorch models.
– The first flaw (CVE-2025-10155) was a file extension bypass where renaming a malicious file to a PyTorch extension caused the scanner to misclassify and fail to inspect it properly.
– The second flaw (CVE-2025-10156) exploited a difference in ZIP archive handling, where corrupted archives with zeroed CRC values would fail in PickleScan but load in PyTorch.
– The third flaw (CVE-2025-10157) allowed evasion of the scanner’s dangerous import blacklist by using subclasses of flagged modules, resulting only in a “Suspicious” label.
– The vulnerabilities, disclosed and patched in 2025, highlight systemic supply chain risks and prompted recommendations to update PickleScan and adopt safer formats like Safetensors.
Cybersecurity researchers have identified three severe zero-day vulnerabilities within PickleScan, a popular utility for inspecting Python pickle files and PyTorch models. These flaws, each carrying a critical CVSS score of 9.3, demonstrate a clear pathway for attackers to circumvent security checks and distribute harmful machine learning models without detection. The discovery underscores significant risks within the AI development supply chain, where a single compromised model could propagate widely across repositories and platforms.
The initial vulnerability, tracked as CVE-2025-10155, involves a straightforward file extension bypass. Investigators discovered that simply renaming a malicious pickle file to a common PyTorch extension, like .bin or .pt, caused PickleScan to misidentify the file type. The scanner would then route the file to PyTorch-specific parsing logic. Since the tool prioritized file extensions over deeper content analysis, the scan would fail, yet PyTorch would load the harmful file without issue.
A second, more complex flaw, CVE-2025-10156, revealed a critical discrepancy in how PickleScan and PyTorch handle ZIP archives. PickleScan relies on Python’s built-in zipfile module, which generates exceptions when it encounters Cyclic Redundancy Check errors. PyTorch, however, ignores these CRC mismatches entirely. By demonstrating that zeroing out CRC values in a model archive causes the scanner to fail, researchers proved attackers could craft corrupted archives containing malicious code. These archives would bypass security checks but still load successfully in PyTorch, creating a dangerous blind spot.
The third vulnerability, CVE-2025-10157, provided a method to evade PickleScan’s import blacklist. Rather than directly referencing a banned module, a malicious payload could instead call a subclass of that module. This technique caused the scanner to flag the file only as “Suspicious” instead of the more severe “Dangerous” classification. A proof-of-concept using internal asyncio classes showed how arbitrary commands could execute during the deserialization process while avoiding the highest alert level.
These findings point to several systemic issues within AI security practices. Organizations often place undue reliance on a single scanning tool like PickleScan, creating a single point of failure. Furthermore, there is a dangerous divergence in file-handling behavior between security tools and core ML frameworks like PyTorch. This mismatch allows crafted exploits to slip through. Collectively, these weaknesses expose the entire ecosystem to potential large-scale supply chain attacks, threatening major model hubs and the projects that depend on them.
The vulnerabilities were responsibly disclosed to the PickleScan maintainers in late June 2025, with patches released in early September. In response, security experts strongly advise all users to immediately update PickleScan to version 0.0.31 or later. They also recommend adopting a defense-in-depth strategy with multiple security layers and, where possible, transitioning to inherently safer serialization formats such as Safetensors to reduce the attack surface associated with pickle files.
(Source: InfoSecurity Magazine)
