Skip to main content
CVE Vulnerability Database

CVE-2025-1945: Mmaitre314 Picklescan RCE Vulnerability

CVE-2025-1945 is a remote code execution flaw in Mmaitre314 Picklescan that allows attackers to bypass detection of malicious pickle files in PyTorch models. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-1945 Overview

CVE-2025-1945 is an Insecure Deserialization vulnerability affecting PickleScan, a security tool designed to detect malicious pickle files in machine learning model archives. The vulnerability allows attackers to bypass PickleScan's detection mechanisms by manipulating specific flag bits in ZIP file headers. When certain bits in the ZIP file headers are flipped, malicious pickle files embedded within PyTorch model archives remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load() function, potentially leading to arbitrary code execution.

Critical Impact

Attackers can embed malicious pickle files in PyTorch model archives that bypass security scanning while still executing arbitrary code when the model is loaded, compromising ML/AI pipeline security.

Affected Products

  • mmaitre314 picklescan versions prior to 0.0.23

Discovery Timeline

  • 2025-03-10 - CVE-2025-1945 published to NVD
  • 2025-12-29 - Last updated in NVD database

Technical Details for CVE-2025-1945

Vulnerability Analysis

This vulnerability exploits a fundamental weakness in how PickleScan parses ZIP file structures compared to PyTorch's more permissive torch.load() implementation. The discrepancy arises because PickleScan uses Python's standard zipfile module with strict header validation, while PyTorch's loading mechanism is more forgiving of header anomalies.

The attack takes advantage of CWE-345 (Insufficient Verification of Data Authenticity), where PickleScan fails to properly validate and process ZIP archives with modified flag bits. An attacker can craft a PyTorch model archive (.pt or .pth file) containing malicious pickle payloads that execute arbitrary Python code upon deserialization. The modified ZIP headers cause PickleScan to either skip scanning certain files or misinterpret the archive structure entirely.

Root Cause

The root cause lies in PickleScan's reliance on the standard Python zipfile module, which strictly adheres to ZIP format specifications. When specific flag bits in ZIP file headers are modified, the standard zipfile implementation may fail to recognize or properly process embedded files. However, PyTorch's torch.load() uses a more relaxed parsing approach that successfully extracts and deserializes these files regardless of the header modifications. This parsing discrepancy creates a security gap where malicious content passes through undetected.

Attack Vector

The attack is network-based and requires user interaction. An attacker would:

  1. Create a PyTorch model archive containing malicious pickle files designed to execute arbitrary code
  2. Modify specific ZIP file header flag bits to evade PickleScan detection
  3. Distribute the compromised model through model repositories, shared storage, or supply chain attacks
  4. When a victim downloads and loads the model using torch.load(), the malicious pickle payload executes with the user's privileges

The fix introduced a RelaxedZipFile class that implements more permissive ZIP parsing to match PyTorch's behavior:

python
+import struct
+import zipfile
+
+# More forgiving implementation of zipfile.ZipFile
+_FH_SIGNATURE = 0
+_FH_FILENAME_LENGTH = 10
+_FH_EXTRA_FIELD_LENGTH = 11
+
+structFileHeader = "<4s2B4HL2L2H"
+stringFileHeader = b"PK\\003\\004"
+sizeFileHeader = struct.calcsize(structFileHeader)
+
+
+class RelaxedZipFile(zipfile.ZipFile):
+    def open(self, name, mode="r", pwd=None, *, force_zip64=False):
+        # near copy of zipfile.ZipFile.open with
+        """Return file-like object for 'name'.
+
+        name is a string for the file name within the ZIP file, or a ZipInfo
+        object.
+
+        mode should be 'r' to read a file already in the ZIP file, or 'w' to
+        write to a file newly added to the archive.
+
+        pwd is the password to decrypt files (only used for reading).
+
+        When writing, if the file size is not known in advance but may exceed
+        2 GiB, pass force_zip64 to use the ZIP64 format, which can handle large
+        files.  If the size is known in advance, it is best to pass a ZipInfo
+        instance for name, with zinfo.file_size set.

Source: GitHub Commit

The scanner was then updated to use this new relaxed implementation:

python
 from typing import IO, List, Optional, Set, Tuple
 import urllib.parse
 import zipfile
+from .relaxed_zipfile import RelaxedZipFile
 
 from .torch import (
     get_magic_number,

Source: GitHub Commit

Detection Methods for CVE-2025-1945

Indicators of Compromise

  • PyTorch model files (.pt, .pth) with unusual or modified ZIP file header structures
  • Model archives that fail standard ZIP validation but load successfully with torch.load()
  • Unexpected process spawning or network connections during model loading operations
  • Suspicious pickle opcodes like REDUCE, BUILD, or GLOBAL referencing dangerous modules such as os, subprocess, or builtins

Detection Strategies

  • Implement secondary validation of model archives using multiple ZIP parsing implementations to detect header manipulation
  • Monitor for code execution attempts during model deserialization operations
  • Deploy endpoint detection for suspicious child processes spawned by Python/ML workloads
  • Audit model provenance and implement integrity verification for downloaded models

Monitoring Recommendations

  • Enable detailed logging for all model loading operations in ML pipelines
  • Alert on ZIP parsing discrepancies or errors during security scans of model files
  • Monitor network activity originating from processes loading untrusted model files
  • Track file system modifications and process creation events during torch.load() calls

How to Mitigate CVE-2025-1945

Immediate Actions Required

  • Upgrade PickleScan to version 0.0.23 or later immediately
  • Re-scan all previously scanned model archives with the updated version
  • Audit model repositories and shared storage for potentially compromised models
  • Implement model provenance verification and cryptographic signing where possible

Patch Information

The vulnerability has been addressed in PickleScan version 0.0.23. The fix introduces a RelaxedZipFile class in src/picklescan/relaxed_zipfile.py that implements more permissive ZIP file parsing to match PyTorch's behavior, ensuring consistent detection regardless of ZIP header modifications.

Patch details are available in the GitHub Security Advisory and the specific commit fix.

Workarounds

  • Avoid loading PyTorch models from untrusted sources until PickleScan is updated
  • Use torch.load() with weights_only=True parameter when possible to restrict deserialization
  • Implement additional validation layers using alternative ZIP parsing libraries
  • Consider sandboxing model loading operations in isolated environments
bash
# Upgrade PickleScan to patched version
pip install --upgrade picklescan>=0.0.23

# Verify installed version
pip show picklescan | grep Version

# Re-scan existing model archives
picklescan --path /path/to/models/

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.