CVE-2025-1944

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781	Patch
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82	Exploit Vendor Advisory
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*

History

19 Mar 2025, 16:11

Type	Values Removed	Values Added
First Time		Mmaitre314 Mmaitre314 picklescan
CPE		cpe:2.3:a:mmaitre314:picklescan::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
Summary		(es) Las versiones anteriores a la versión 0.0.23 de picklescan son vulnerables a un ataque de manipulación de archivos ZIP que provoca que se bloquee al intentar extraer y escanear archivos de modelos de PyTorch. Al modificar el nombre del archivo en el encabezado ZIP y mantener el nombre del archivo original en la lista de directorios, un atacante puede hacer que PickleScan genere un error BadZipFile. Sin embargo, la implementación ZIP más indulgente de PyTorch aún permite cargar el modelo, lo que permite que las cargas maliciosas eludan la detección.
CWE		NVD-CWE-noinfo
References	~~() https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781 -~~	() https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781 - Patch
References	~~() https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82 -~~	() https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7q5r-7gvp-wc82 - Exploit, Vendor Advisory
References	~~() https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944 -~~	() https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1944 - Exploit, Third Party Advisory

10 Mar 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 12:15

Updated : 2025-03-19 16:11

NVD link : CVE-2025-1944

Mitre link : CVE-2025-1944

CVE.ORG link : CVE-2025-1944

JSON object : View

Products Affected

mmaitre314

picklescan

CWE

CWE-345

Insufficient Verification of Data Authenticity

NVD-CWE-noinfo

6.5 /10