CVE-2025-1944 – CVE-2025-1944 is a ZIP archive manipulation vul... (How to Fix)

📋 TL;DR

CVE-2025-1944 is a ZIP archive manipulation vulnerability in picklescan versions before 0.0.23 that allows malicious PyTorch model files to bypass security scanning. Attackers can craft archives with mismatched filenames in ZIP headers versus directory listings, causing picklescan to crash while PyTorch still loads the model. This affects anyone using picklescan to scan potentially untrusted PyTorch model files for malicious pickle payloads.

💻 Affected Systems

Products:

picklescan

Versions: All versions before 0.0.23

Operating Systems: All platforms running picklescan

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using picklescan to scan PyTorch model files (.pt, .pth, .pkl files in ZIP archives).

📦 What is this software?

Picklescan by Mmaitre314

View all CVEs affecting Picklescan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious PyTorch models with arbitrary code execution payloads bypass security scanning entirely, leading to remote code execution on systems processing these models.

🟠

Likely Case

Attackers deliver malicious machine learning models that evade detection, potentially compromising AI/ML pipelines and data processing systems.

🟢

If Mitigated

With proper controls, the impact is limited to scanning failures that could be detected through monitoring, though malicious models might still be processed.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires creating specially crafted ZIP archives with mismatched filenames, which is straightforward for attackers familiar with ZIP format manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.23

Vendor Advisory: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82

Restart Required: No

Instructions:

1. Update picklescan to version 0.0.23 or later using pip: pip install --upgrade picklescan>=0.0.23
2. Verify the update completed successfully
3. No restart required as picklescan is typically used as a command-line tool

🔧 Temporary Workarounds

Manual ZIP validation before scanning

all

Validate ZIP archives with standard tools before passing to picklescan to detect malformed archives

python -m zipfile -t suspicious_model.zip

Use alternative scanning tools

all

Supplement picklescan with additional security scanning tools for PyTorch models

🧯 If You Can't Patch

Implement strict input validation on all PyTorch model files before processing
Run picklescan in isolated environments with crash monitoring to detect scanning failures

🔍 How to Verify

Check if Vulnerable:

Check picklescan version: picklescan --version | grep -q '^0\.0\.2[0-2]$' && echo 'VULNERABLE'

Check Version:

picklescan --version

Verify Fix Applied:

Verify version is 0.0.23 or higher: picklescan --version | grep -q '^0\.0\.2[3-9]\|^0\.0\.[3-9]\|^0\.[1-9]' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

picklescan crash logs with BadZipFile errors
Unexpected scanning failures on PyTorch model files

Network Indicators:

Downloads of PyTorch model files from untrusted sources

SIEM Query:

process.name='picklescan' AND (event.outcome='failure' OR event.action='crash')

📊 Metadata

CVE ID: CVE-2025-1944

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-345

EPSS Score: 0.14% exploit probability (33.4th percentile)

Published: March 10, 2025

Last Updated: December 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1944, you might also want to check these: