Critical security vulnerabilities have been discovered in Picklescan, an open-source utility designed to safeguard against malicious code embedded within Python pickle files, particularly those used in machine learning frameworks like PyTorch. At least three severe flaws have been detailed, enabling attackers to bypass the scanner’s protections and execute arbitrary code by loading untrusted PyTorch models, potentially leading to widespread supply chain attacks.
The vulnerabilities were identified by JFrog researchers and have been addressed in a recent update to Picklescan. These findings highlight the ongoing challenges in securing the rapidly evolving landscape of artificial intelligence development, where new attack vectors can emerge faster than security tools can adapt.
Picklescan Vulnerabilities Expose PyTorch Model Security Risks
Picklescan, developed by Matthieu Maitre, functions by analyzing the bytecode of pickle files to detect suspicious imports and operations. Pickle is a prevalent serialization format in machine learning, essential for saving and loading models in frameworks such as PyTorch. However, the format itself poses a significant security risk, as pickle files can be engineered to execute arbitrary Python code upon loading. This necessitates strict adherence to using only trusted models or model weights loaded from secure sources like TensorFlow and Flax.
The newly disclosed issues, however, allow malicious actors to circumvent Picklescan’s detection mechanisms. Attackers can present scanned model files as safe, thereby enabling the execution of hidden malicious code. This scenario represents a significant threat, as it can be leveraged for large-scale supply chain attacks by distributing compromised machine learning models.
“Each discovered vulnerability enables attackers to evade PickleScan’s malware detection and potentially execute a large-scale supply chain attack by distributing malicious ML models that conceal undetectable malicious code,” stated security researcher David Cohen, as reported by the source. Picklescan’s strategy of using a blocklist for known hazardous imports and operations, rather than an allowlist, means it can be vulnerable to novel attack techniques that have not yet been cataloged.
Detailed Vulnerabilities and Their Impact
According to the findings, three specific vulnerabilities have been identified:
- CVE-2025-10155 (CVSS score: 9.3/7.8): This vulnerability centers on a file extension bypass. Attackers can disguise malicious pickle files by using common PyTorch-related extensions, such as `.bin` or `.pt`. This tricks the scanner into treating the file as benign, allowing the model to be loaded and its embedded malicious code to execute.
- CVE-2025-10156 (CVSS score: 9.3/7.5): This flaw allows for the bypass of ZIP archive scanning. By intentionally introducing a Cyclic Redundancy Check (CRC) error within a ZIP archive that contains malicious models, attackers can disrupt the scanner’s ability to properly process the archive’s contents, ultimately rendering its security checks ineffective.
- CVE-2025-10157 (CVSS score: 9.3/8.3): This vulnerability targets Picklescan’s “unsafe globals” check. It enables attackers to circumvent the blocklist of dangerous imports by crafting malicious PyTorch models with embedded pickle payloads. This bypass allows arbitrary code execution by subverting the scanner’s protective measures against unsafe global operations.
Successful exploitation of these vulnerabilities could empower attackers to conceal potent pickle payloads within seemingly innocuous files, corrupt ZIP archives to evade detection, or embed harmful code directly into PyTorch models, all while appearing to pass security scans.
Following a responsible disclosure on June 29, 2025, the identified vulnerabilities were addressed by the Picklescan developers. Version 0.0.31, released on September 9, 2025, contains the necessary patches to mitigate these risks. This rapid response from the development team underscores the importance of proactive security measures in open-source projects.
These findings highlight systemic issues within current security architectures for AI. Relying on a single scanning tool can create blind spots, especially when discrepancies exist in how different security tools and the AI frameworks themselves handle files. In contrast, PyTorch’s evolving features and model formats can outpace the adaptation capabilities of conventional security scanners.
“AI libraries like PyTorch grow more complex by the day, introducing new features, model formats, and execution pathways faster than security scanning tools can adapt,” Cohen explained. “This widening gap between innovation and protection leaves organizations exposed to emerging threats that conventional tools simply weren’t designed to anticipate.”
The path forward likely involves developing more sophisticated, AI-model-specific security proxies. Such systems would require continuous updates informed by security experts who can anticipate both offensive and defensive strategies. By actively analyzing new models, tracking library updates, and uncovering novel exploitation techniques, these advanced solutions aim to provide adaptive, intelligence-driven protection against the most critical emerging vulnerabilities in machine learning supply chains.