CVE-2025-1945

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781	Patch
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792	Exploit Vendor Advisory
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*

History

19 Mar 2025, 16:14

Type	Values Removed	Values Added
First Time		Mmaitre314 Mmaitre314 picklescan
References	~~() https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781 -~~	() https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781 - Patch
References	~~() https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792 -~~	() https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792 - Exploit, Vendor Advisory
References	~~() https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945 -~~	() https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945 - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:mmaitre314:picklescan::::::::
CWE		NVD-CWE-noinfo
Summary		(es) Las versiones anteriores a la versión 0.0.23 de picklescan no detectan archivos pickle maliciosos dentro de los archivos de modelos de PyTorch cuando se modifican ciertos bits de indicadores de archivos ZIP. Al invertir bits específicos en los encabezados de archivos ZIP, un atacante puede incrustar archivos pickle maliciosos que PickleScan no detecta, pero que se cargan correctamente con la función Torch.load() de PyTorch. Esto puede provocar la ejecución de código arbitrario al cargar un modelo comprometido.

10 Mar 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 12:15

Updated : 2025-03-19 16:14

NVD link : CVE-2025-1945

Mitre link : CVE-2025-1945

CVE.ORG link : CVE-2025-1945

JSON object : View

Products Affected

mmaitre314

picklescan

CWE

CWE-345

Insufficient Verification of Data Authenticity

NVD-CWE-noinfo

9.8 /10