PYSEC-2025-151
Vulnerability from pysec - Published: 2025-09-17 10:15 - Updated: 2026-05-20 09:19
VLAI
Details
An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Severity
7.8 (High)
Impacted products
| Name | purl | picklescan | pkg:pypi/picklescan |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan",
"purl": "pkg:pypi/picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.31"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.1",
"0.0.10",
"0.0.11",
"0.0.12",
"0.0.13",
"0.0.14",
"0.0.15",
"0.0.16",
"0.0.17",
"0.0.18",
"0.0.19",
"0.0.2",
"0.0.20",
"0.0.21",
"0.0.22",
"0.0.23",
"0.0.24",
"0.0.25",
"0.0.26",
"0.0.27",
"0.0.28",
"0.0.29",
"0.0.3",
"0.0.30",
"0.0.4",
"0.0.5",
"0.0.6",
"0.0.7",
"0.0.8",
"0.0.9"
]
}
],
"aliases": [
"CVE-2025-10155",
"GHSA-jgw4-cr84-mqxg"
],
"details": "An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.",
"id": "PYSEC-2025-151",
"modified": "2026-05-20T09:19:10.716255Z",
"published": "2025-09-17T10:15:36.913Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463"
},
{
"type": "FIX",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
CVE-2025-10155 (GCVE-0-2025-10155)
Vulnerability from cvelistv5 – Published: 2025-09-17 09:38 – Updated: 2025-09-17 13:04
VLAI
Title
PickleScan Security Bypass Using Misleading File Extension
Summary
An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Severity
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mmaitre314/picklescan/blob/589… | |
| https://github.com/mmaitre314/picklescan/security… | exploitvendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mmaitre314 | picklescan |
Affected:
0 , ≤ 0.0.30
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10155",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:03:48.448396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:04:03.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "picklescan",
"vendor": "mmaitre314",
"versions": [
{
"changes": [
{
"at": "0.0.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.0.30",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JFrog"
},
{
"lang": "en",
"type": "finder",
"value": "@xdcrev"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code."
}
],
"value": "An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft a malicious pickle file with a PyTorch-related extension to bypass the PickleScan check. If a victim or an automated system loads this file, believing it to be safe, it can result in arbitrary code execution on the victim\u0027s machine with the privileges of the executing user."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T09:38:15.056Z",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"name": "Vulnerable Code",
"url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463"
},
{
"name": "Proof of Concept Instructions (GHSA)",
"tags": [
"exploit",
"vendor-advisory"
],
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PickleScan Security Bypass Using Misleading File Extension",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2025-10155",
"datePublished": "2025-09-17T09:38:15.056Z",
"dateReserved": "2025-09-09T11:07:33.136Z",
"dateUpdated": "2025-09-17T13:04:03.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-JGW4-CR84-MQXG
Vulnerability from github – Published: 2025-09-10 19:51 – Updated: 2025-09-18 12:51
VLAI
Summary
Picklescan Bypass is Possible via File Extension Mismatch
Details
Summary
Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.
Details
The vulnerability stems from the logic in the scan_bytes function within picklescan/scanner.py, specifically around line 463: https://github.com/mmaitre314/picklescan/blob/75e60f2c02f3f1a029362e6f334e1921392dcf60/src/picklescan/scanner.py#L463 The code first checks if the file extension (file_ext) is in the pytorch_file_extension list. If it is (e.g., .bin), the scan_pytorch function is called. When a standard pickle file is encountered with a PyTorch extension, scan_pytorch will likely fail. Critically, the code then returns an Error without attempting to analyze the file as a standard pickle using scan_pickle_bytes. This prevents the detection of malicious payloads within such files.
PoC
- Download a malicious pickle file with a standard .pkl extension: wget https://huggingface.co/kzanki/regular_model/resolve/main/model.pkl?download=true -O model.pkl
-
Scan the file with Picklescan (correct detection): /home/davfr/Tests/HF/dangerous_model/model.pkl: dangerous import 'builtins exec' FOUND ----------- SCAN SUMMARY ----------- Scanned files: 1 Infected files: 1 Dangerous globals: 1
-
Rename the file to use a PyTorch-related extension (e.g., .bin): cp model.pkl model.bin
- Scan the renamed file with Picklescan:
Observed Result: Picklescan fails and reports an error related to PyTorch parsing but does not detect the malicious pickle content. Expected Result: Picklescan should recognize the file as a standard pickle format despite the .bin extension and scan it accordingly, identifying the malicious content.
Impact
Severity: High Affected Users: Any organization or individual relying on Picklescan to ensure the safety of PyTorch models or other files that might contain embedded pickle objects. This includes users downloading pre-trained models or receiving files that could potentially contain malicious code. Impact Details: Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt, etc.). These files would then bypass PickleScan's detection mechanism, allowing the malicious code to execute when the file is loaded by a vulnerable application or user. Potential Exploits: This vulnerability significantly weakens the security provided by PickleScan. It opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or even through direct file sharing. Users trusting PickleScan would be unknowingly exposed to these threats. Recommendations The most effective solution is to modify the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails or is not applicable. A suggested approach is: Attempt PyTorch Scan: If the file extension matches a known PyTorch extension, attempt to scan it as a PyTorch object. Fallback to Pickle Scan: Regardless of the success or failure of the PyTorch scan (or if the extension is not a PyTorch extension), always attempt to scan the file as a standard pickle. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities.
Suggested Patch
--- a/src/picklescan/scanner.py
+++ b/src/picklescan/scanner.py
@@ -462,19 +462,28 @@ def scan_bytes(data: IO[bytes], file_id, file_ext: Optional[str] = None) -> Scan
if file_ext is not None and file_ext in pytorch_file_extensions:
try:
return scan_pytorch(data, file_id)
except InvalidMagicError as e:
- _log.error(f"ERROR: Invalid magic number for file {e}")
- return ScanResult([], scan_err=True)
+ _log.warning(f"PyTorch scan failed for {file_id} with extension {file_ext}: {e}")
+ # Don't return error here - continue to other scan methods
elif file_ext is not None and file_ext in numpy_file_extensions:
- return scan_numpy(data, file_id)
- else:
- is_zip = zipfile.is_zipfile(data)
- data.seek(0)
- if is_zip:
- return scan_zip_bytes(data, file_id)
- elif is_7z_file(data):
- return scan_7z_bytes(data, file_id)
- else:
- return scan_pickle_bytes(data, file_id)
+ try:
+ return scan_numpy(data, file_id)
+ except Exception as e:
+ _log.warning(f"NumPy scan failed for {file_id}: {e}")
+
+ # Always attempt additional format checks as fallback
+ data.seek(0) # Reset stream position
+ is_zip = zipfile.is_zipfile(data)
+ data.seek(0)
+ if is_zip:
+ return scan_zip_bytes(data, file_id)
+ elif is_7z_file(data):
+ return scan_7z_bytes(data, file_id)
+ else:
+ # FIX: Always attempt pickle scanning as fallback
+ # This prevents the vulnerability where pickle files with wrong extensions bypass detection
+ return scan_pickle_bytes(data, file_id)
Severity
7.8 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.30"
},
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-10155"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-10T19:51:37Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nPicklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would otherwise be scanned for pickle-based threats.\n### Details\nThe vulnerability stems from the logic in the scan_bytes function within picklescan/scanner.py, specifically around line 463:[ https://github.com/mmaitre314/picklescan/blob/75e60f2c02f3f1a029362e6f334e1921392dcf60/src/picklescan/scanner.py#L463](https://github.com/mmaitre314/picklescan/blob/75e60f2c02f3f1a029362e6f334e1921392dcf60/src/picklescan/scanner.py#L463)\nThe code first checks if the file extension (file_ext) is in the pytorch_file_extension list. If it is (e.g., .bin), the scan_pytorch function is called. When a standard pickle file is encountered with a PyTorch extension, scan_pytorch will likely fail. Critically, the code then returns an Error without attempting to analyze the file as a standard pickle using scan_pickle_bytes. This prevents the detection of malicious payloads within such files.\n### PoC\n- Download a malicious pickle file with a standard .pkl extension:\nwget \u003chttps://huggingface.co/kzanki/regular_model/resolve/main/model.pkl?download=true\u003e -O model.pkl\n- Scan the file with Picklescan (correct detection):\n/home/davfr/Tests/HF/dangerous_model/model.pkl: dangerous import \u0027builtins exec\u0027 FOUND\n----------- SCAN SUMMARY -----------\nScanned files: 1\nInfected files: 1\nDangerous globals: 1\n\n- Rename the file to use a PyTorch-related extension (e.g., .bin):\ncp model.pkl model.bin\n- Scan the renamed file with Picklescan:\n\n\n**Observed Result:** Picklescan fails and reports an error related to PyTorch parsing but does not detect the malicious pickle content.\n**Expected Result**: Picklescan should recognize the file as a standard pickle format despite the .bin extension and scan it accordingly, identifying the malicious content.\n### Impact\n**Severity**: High\n**Affected Users**: Any organization or individual relying on Picklescan to ensure the safety of PyTorch models or other files that might contain embedded pickle objects. This includes users downloading pre-trained models or receiving files that could potentially contain malicious code.\n**Impact Details**: Attackers can craft malicious pickle payloads and disguise them within files using common PyTorch extensions (like .bin, .pt, etc.). These files would then bypass PickleScan\u0027s detection mechanism, allowing the malicious code to execute when the file is loaded by a vulnerable application or user.\n**Potential Exploits**: This vulnerability significantly weakens the security provided by PickleScan. It opens the door to various supply chain attacks, where malicious actors could distribute backdoored models through platforms like Hugging Face, PyTorch Hub, or even through direct file sharing. Users trusting PickleScan would be unknowingly exposed to these threats.\n**Recommendations**\nThe most effective solution is to modify the scanning logic to ensure that standard pickle scanning is attempted as a fallback mechanism when PyTorch scanning fails or is not applicable. A suggested approach is:\nAttempt PyTorch Scan: If the file extension matches a known PyTorch extension, attempt to scan it as a PyTorch object.\nFallback to Pickle Scan: Regardless of the success or failure of the PyTorch scan (or if the extension is not a PyTorch extension), always attempt to scan the file as a standard pickle. This ensures that files with misleading extensions are still analyzed for potential pickle-based vulnerabilities.\n### Suggested Patch\n\n```\n--- a/src/picklescan/scanner.py\n+++ b/src/picklescan/scanner.py\n@@ -462,19 +462,28 @@ def scan_bytes(data: IO[bytes], file_id, file_ext: Optional[str] = None) -\u003e Scan\n if file_ext is not None and file_ext in pytorch_file_extensions:\n try:\n return scan_pytorch(data, file_id)\n except InvalidMagicError as e:\n- _log.error(f\"ERROR: Invalid magic number for file {e}\")\n- return ScanResult([], scan_err=True)\n+ _log.warning(f\"PyTorch scan failed for {file_id} with extension {file_ext}: {e}\")\n+ # Don\u0027t return error here - continue to other scan methods\n elif file_ext is not None and file_ext in numpy_file_extensions:\n- return scan_numpy(data, file_id)\n- else:\n- is_zip = zipfile.is_zipfile(data)\n- data.seek(0)\n- if is_zip:\n- return scan_zip_bytes(data, file_id)\n- elif is_7z_file(data):\n- return scan_7z_bytes(data, file_id)\n- else:\n- return scan_pickle_bytes(data, file_id)\n+ try:\n+ return scan_numpy(data, file_id)\n+ except Exception as e:\n+ _log.warning(f\"NumPy scan failed for {file_id}: {e}\")\n+ \n+ # Always attempt additional format checks as fallback\n+ data.seek(0) # Reset stream position\n+ is_zip = zipfile.is_zipfile(data)\n+ data.seek(0)\n+ if is_zip:\n+ return scan_zip_bytes(data, file_id)\n+ elif is_7z_file(data):\n+ return scan_7z_bytes(data, file_id)\n+ else:\n+ # FIX: Always attempt pickle scanning as fallback\n+ # This prevents the vulnerability where pickle files with wrong extensions bypass detection\n+ return scan_pickle_bytes(data, file_id)\n```",
"id": "GHSA-jgw4-cr84-mqxg",
"modified": "2025-09-18T12:51:22Z",
"published": "2025-09-10T19:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-jgw4-cr84-mqxg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10155"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/commit/28a7b4ef753466572bda3313737116eeb9b4e5c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/blob/58983e1c20973ac42f2df7ff15d7c8cd32f9b688/src/picklescan/scanner.py#L463"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Picklescan Bypass is Possible via File Extension Mismatch"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…