CVE-2025-1945 Overview
CVE-2025-1945 is an Insecure Deserialization vulnerability affecting PickleScan, a security tool designed to detect malicious pickle files in machine learning model archives. The vulnerability allows attackers to bypass PickleScan's detection mechanisms by manipulating specific flag bits in ZIP file headers. When certain bits in the ZIP file headers are flipped, malicious pickle files embedded within PyTorch model archives remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load() function, potentially leading to arbitrary code execution.
Critical Impact
Attackers can embed malicious pickle files in PyTorch model archives that bypass security scanning while still executing arbitrary code when the model is loaded, compromising ML/AI pipeline security.
Affected Products
- mmaitre314 picklescan versions prior to 0.0.23
Discovery Timeline
- 2025-03-10 - CVE-2025-1945 published to NVD
- 2025-12-29 - Last updated in NVD database
Technical Details for CVE-2025-1945
Vulnerability Analysis
This vulnerability exploits a fundamental weakness in how PickleScan parses ZIP file structures compared to PyTorch's more permissive torch.load() implementation. The discrepancy arises because PickleScan uses Python's standard zipfile module with strict header validation, while PyTorch's loading mechanism is more forgiving of header anomalies.
The attack takes advantage of CWE-345 (Insufficient Verification of Data Authenticity), where PickleScan fails to properly validate and process ZIP archives with modified flag bits. An attacker can craft a PyTorch model archive (.pt or .pth file) containing malicious pickle payloads that execute arbitrary Python code upon deserialization. The modified ZIP headers cause PickleScan to either skip scanning certain files or misinterpret the archive structure entirely.
Root Cause
The root cause lies in PickleScan's reliance on the standard Python zipfile module, which strictly adheres to ZIP format specifications. When specific flag bits in ZIP file headers are modified, the standard zipfile implementation may fail to recognize or properly process embedded files. However, PyTorch's torch.load() uses a more relaxed parsing approach that successfully extracts and deserializes these files regardless of the header modifications. This parsing discrepancy creates a security gap where malicious content passes through undetected.
Attack Vector
The attack is network-based and requires user interaction. An attacker would:
- Create a PyTorch model archive containing malicious pickle files designed to execute arbitrary code
- Modify specific ZIP file header flag bits to evade PickleScan detection
- Distribute the compromised model through model repositories, shared storage, or supply chain attacks
- When a victim downloads and loads the model using torch.load(), the malicious pickle payload executes with the user's privileges
The fix introduced a RelaxedZipFile class that implements more permissive ZIP parsing to match PyTorch's behavior:
+import struct
+import zipfile
+
+# More forgiving implementation of zipfile.ZipFile
+_FH_SIGNATURE = 0
+_FH_FILENAME_LENGTH = 10
+_FH_EXTRA_FIELD_LENGTH = 11
+
+structFileHeader = "<4s2B4HL2L2H"
+stringFileHeader = b"PK\\003\\004"
+sizeFileHeader = struct.calcsize(structFileHeader)
+
+
+class RelaxedZipFile(zipfile.ZipFile):
+ def open(self, name, mode="r", pwd=None, *, force_zip64=False):
+ # near copy of zipfile.ZipFile.open with
+ """Return file-like object for 'name'.
+
+ name is a string for the file name within the ZIP file, or a ZipInfo
+ object.
+
+ mode should be 'r' to read a file already in the ZIP file, or 'w' to
+ write to a file newly added to the archive.
+
+ pwd is the password to decrypt files (only used for reading).
+
+ When writing, if the file size is not known in advance but may exceed
+ 2 GiB, pass force_zip64 to use the ZIP64 format, which can handle large
+ files. If the size is known in advance, it is best to pass a ZipInfo
+ instance for name, with zinfo.file_size set.
Source: GitHub Commit
The scanner was then updated to use this new relaxed implementation:
from typing import IO, List, Optional, Set, Tuple
import urllib.parse
import zipfile
+from .relaxed_zipfile import RelaxedZipFile
from .torch import (
get_magic_number,
Source: GitHub Commit
Detection Methods for CVE-2025-1945
Indicators of Compromise
- PyTorch model files (.pt, .pth) with unusual or modified ZIP file header structures
- Model archives that fail standard ZIP validation but load successfully with torch.load()
- Unexpected process spawning or network connections during model loading operations
- Suspicious pickle opcodes like REDUCE, BUILD, or GLOBAL referencing dangerous modules such as os, subprocess, or builtins
Detection Strategies
- Implement secondary validation of model archives using multiple ZIP parsing implementations to detect header manipulation
- Monitor for code execution attempts during model deserialization operations
- Deploy endpoint detection for suspicious child processes spawned by Python/ML workloads
- Audit model provenance and implement integrity verification for downloaded models
Monitoring Recommendations
- Enable detailed logging for all model loading operations in ML pipelines
- Alert on ZIP parsing discrepancies or errors during security scans of model files
- Monitor network activity originating from processes loading untrusted model files
- Track file system modifications and process creation events during torch.load() calls
How to Mitigate CVE-2025-1945
Immediate Actions Required
- Upgrade PickleScan to version 0.0.23 or later immediately
- Re-scan all previously scanned model archives with the updated version
- Audit model repositories and shared storage for potentially compromised models
- Implement model provenance verification and cryptographic signing where possible
Patch Information
The vulnerability has been addressed in PickleScan version 0.0.23. The fix introduces a RelaxedZipFile class in src/picklescan/relaxed_zipfile.py that implements more permissive ZIP file parsing to match PyTorch's behavior, ensuring consistent detection regardless of ZIP header modifications.
Patch details are available in the GitHub Security Advisory and the specific commit fix.
Workarounds
- Avoid loading PyTorch models from untrusted sources until PickleScan is updated
- Use torch.load() with weights_only=True parameter when possible to restrict deserialization
- Implement additional validation layers using alternative ZIP parsing libraries
- Consider sandboxing model loading operations in isolated environments
# Upgrade PickleScan to patched version
pip install --upgrade picklescan>=0.0.23
# Verify installed version
pip show picklescan | grep Version
# Re-scan existing model archives
picklescan --path /path/to/models/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
