CVE-2025-10155 Overview
CVE-2025-10155 is an Improper Input Validation vulnerability affecting mmaitre314 picklescan, a security tool designed to scan Python pickle files for potentially malicious content. The vulnerability exists in the scanning logic of picklescan versions up to and including 0.0.30, where an attacker can bypass security checks by supplying a standard pickle file with a PyTorch-related file extension. When the scanner incorrectly deems the file safe and it is subsequently loaded, malicious code embedded within the pickle can be executed.
Critical Impact
Remote attackers can bypass pickle file security scanning entirely by manipulating file extensions, leading to arbitrary code execution when the malicious pickle is loaded by downstream applications.
Affected Products
- mmaitre314 picklescan versions up to and including 0.0.30
Discovery Timeline
- 2025-09-17 - CVE-2025-10155 published to NVD
- 2025-10-02 - Last updated in NVD database
Technical Details for CVE-2025-10155
Vulnerability Analysis
This vulnerability represents a critical input validation flaw in the picklescan security tool. Picklescan is designed to analyze Python pickle files and detect potentially dangerous deserialization patterns before they can be loaded and executed. The tool serves as a security layer for machine learning workflows that frequently use pickle files for model serialization.
The core issue lies in how picklescan determines whether to apply its security scanning logic. The scanner uses file extensions to determine how files should be processed, and files with certain PyTorch-related extensions receive different treatment during analysis. By exploiting this extension-based categorization, an attacker can craft a standard pickle file containing malicious payloads but give it a PyTorch-associated extension, causing the scanner to apply incorrect or insufficient validation rules.
When the file passes through picklescan without proper scrutiny, downstream applications that trust the scanner's verdict will proceed to deserialize the pickle content. Python's pickle module is inherently unsafe because it can execute arbitrary code during deserialization, which is precisely why tools like picklescan exist. This bypass effectively nullifies the security protection that picklescan is meant to provide.
Root Cause
The root cause stems from improper input validation in the file type detection logic within picklescan's scanner module. The vulnerability exists because the scanner relies on file extensions to determine the appropriate scanning behavior rather than properly inspecting the actual file contents. This extension-based trust allows attackers to disguise standard pickle files as PyTorch-related formats, bypassing the intended security checks. The flawed logic can be traced to the scanner implementation in the scanner.py module.
Attack Vector
The attack leverages network-accessible file uploads or transfers where picklescan is used as a security gate. An attacker prepares a malicious pickle file containing arbitrary code execution payloads (commonly using Python's __reduce__ method or similar pickle opcodes). Instead of using standard pickle extensions like .pkl or .pickle, the attacker renames the file with a PyTorch-related extension such as .pt or .pth.
When this file is submitted to a system protected by the vulnerable picklescan version, the scanner misidentifies the file type and applies incorrect validation rules. The file is marked as safe, allowing it to pass through to applications that subsequently deserialize it using Python's pickle module. Upon deserialization, the embedded malicious code executes with the privileges of the application processing the file.
This attack is particularly dangerous in machine learning pipelines where model files are frequently exchanged and loaded from potentially untrusted sources such as model hubs, collaborative platforms, or user uploads.
Detection Methods for CVE-2025-10155
Indicators of Compromise
- Presence of pickle files with PyTorch extensions (.pt, .pth) that contain standard pickle opcodes rather than legitimate PyTorch serialization structures
- Unexpected process spawning or network connections originating from Python processes that load pickle/model files
- Anomalous file uploads with PyTorch-related extensions to systems using picklescan for security validation
- Evidence of pickle deserialization errors followed by successful code execution patterns
Detection Strategies
- Implement content-based file type detection that analyzes file headers and internal structures rather than relying solely on extensions
- Deploy application-level logging to capture all pickle deserialization events and correlate with source file metadata
- Monitor for process creation chains where Python interpreter processes spawn unexpected child processes after loading model files
- Utilize endpoint detection capabilities to identify suspicious command execution following pickle file operations
Monitoring Recommendations
- Enable verbose logging on systems using picklescan to capture file extension and content type decisions
- Configure alerts for pickle file processing events where the extension does not match detected content type
- Monitor network egress from machine learning pipeline systems for unexpected connections following model loading operations
- Establish baselines for normal pickle file processing patterns and alert on deviations
How to Mitigate CVE-2025-10155
Immediate Actions Required
- Upgrade picklescan to a version newer than 0.0.30 that addresses this vulnerability
- Audit all pickle/model files currently stored or queued for processing in affected environments
- Implement additional content-type validation independent of picklescan as a defense-in-depth measure
- Review and restrict permissions for processes that handle pickle deserialization to limit potential damage from code execution
Patch Information
The vendor has published a security advisory addressing this vulnerability. Organizations using picklescan should consult the GitHub Security Advisory GHSA-jgw4-cr84-mqxg for official patch information and upgrade instructions. Update to the latest available version of picklescan that resolves the improper input validation in the scanning logic.
Workarounds
- Implement mandatory content-based file type detection before files reach picklescan, rejecting files where extension does not match content
- Restrict accepted file extensions to only those explicitly required by your application, blocking PyTorch-related extensions if not needed
- Deploy additional sandboxing around pickle deserialization operations to contain potential code execution
- Consider using safer serialization formats such as safetensors for machine learning model storage where pickle is not strictly required
- Apply strict input validation on all file upload endpoints to verify file content matches expected format regardless of extension
# Configuration example - verify picklescan version and upgrade
pip show picklescan | grep Version
pip install --upgrade picklescan
# Alternative: Pin to a specific patched version
pip install picklescan>=0.0.31
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
