CVE-2025-1945
📋 TL;DR
CVE-2025-1945 is a vulnerability in picklescan versions before 0.0.23 that allows attackers to bypass security scanning by embedding malicious pickle files in PyTorch model archives with modified ZIP header bits. This leads to arbitrary code execution when compromised models are loaded via torch.load(). Organizations using picklescan to validate PyTorch models before deployment are affected.
💻 Affected Systems
- picklescan
📦 What is this software?
Picklescan by Mmaitre314
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution when loading a malicious PyTorch model, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Attackers distribute poisoned ML models that execute malicious code when loaded, compromising ML pipelines and potentially stealing sensitive data or intellectual property.
If Mitigated
Limited impact if models are only loaded in isolated environments with strict network controls and minimal privileges.
🎯 Exploit Status
Proof of concept is available in the security advisory. Attack requires creating a specially crafted ZIP archive with modified header bits, which is straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.23
Vendor Advisory: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792
Restart Required: No
Instructions:
1. Update picklescan: pip install --upgrade picklescan==0.0.23
2. Verify installation: pip show picklescan
3. Re-run security scans on any previously scanned PyTorch models.
🔧 Temporary Workarounds
Disable picklescan scanning
allTemporarily disable picklescan scanning until patched, but this leaves systems vulnerable to other pickle-based attacks.
# Not recommended as it removes security controls
Use alternative scanning tools
allUse other pickle security scanners like PyTorch's built-in safety features or third-party alternatives.
# Research and implement alternative pickle security scanners
🧯 If You Can't Patch
- Only load PyTorch models from trusted, verified sources with cryptographic signatures
- Run model loading in isolated containers or sandboxes with minimal privileges and network access
🔍 How to Verify
Check if Vulnerable:
Run: pip show picklescan | grep Version
If version is earlier than 0.0.23, system is vulnerable.Check Version:
pip show picklescan | grep VersionVerify Fix Applied:
Run: pip show picklescan | grep Version
Confirm version is 0.0.23 or later.📡 Detection & Monitoring
Log Indicators:
- Failed picklescan scans with unusual ZIP file errors
- Unexpected process execution following torch.load() operations
- Network connections from ML processes to unexpected destinations
Network Indicators:
- ML processes making unexpected outbound connections
- Downloads of PyTorch models from untrusted sources
SIEM Query:
Process execution where (process_name contains 'python' OR process_name contains 'torch') AND command_line contains 'torch.load'