Critical vulnerabilities reported in PickleScan

The JFrog Security Research Team is reporting three critical zero-day vulnerabilities in PickleScan, a widely used tool for scanning machine learning models and ensuring they contain no malicious content. The vulnerabilities enable attackers to completely bypass PickleScan's malware detection mechanisms and potentially execute large-scale supply chain attacks by distributing malicious ML models through platforms like Hugging Face

Vulnerabilities summary

• CVE-2025-10155 (CVSS score 9.3) - File Extension Bypass vulnerability. An Improper Input Validation flaw in PickleScan's scanning logic that allows attackers to bypass security checks through a simple file extension mismatch. The vulnerability exists in the scan_bytes function, which prioritizes file extension checks over content inspection. When a malicious standard pickle file is given a PyTorch-related extension such as .bin or .pt, the scanner attempts to parse it using PyTorch-specific logic. When this parsing fails, the scanner returns an error without falling back to standard pickle analysis, effectively allowing the malicious payload to evade detection. Meanwhile, PyTorch itself loads the file normally by checking contents rather than extensions, creating a blind spot where malicious code passes undetected through security scans but executes successfully when loaded.
• CVE-2025-10156 (CVSS score 9.3) - ZIP Archive CRC Bypass vulnerability. Improper Handling of Exceptional Conditions vulnerability that exploits differences in how PickleScan and PyTorch process ZIP archives. PickleScan relies on Python's standard zipfile module, which raises exceptions when encountering files with Cyclic Redundancy Check errors. However, PickleScan does not handle these exceptions gracefully and instead halts the scan entirely without analyzing the archive contents. PyTorch, configured to ignore CRC mismatches in many implementations, can still load and execute models from these corrupted archives. Researchers demonstrated that attackers can craft malicious PyTorch models, package them into ZIP archives with intentionally zeroed CRC values, and successfully bypass PickleScan while the models load normally in PyTorch environments, potentially executing malicious code during deserialization.
• CVE-2025-10157 (CVSS score 9.3) - Unsafe Globals Blacklist Evasion vulnerability. Protection Mechanism Failure that allows attackers to circumvent PickleScan's blacklist of dangerous module imports. The scanner performs exact string matching against blocklisted module names to identify unsafe imports. Attackers can exploit this by importing submodules of dangerous packages instead of the parent packages themselves. For example, importing asyncio.unix_events instead of asyncio bypasses the blacklist check since the exact string does not match. This causes PickleScan to label the import as merely "Suspicious" instead of "Dangerous," allowing malicious payloads to pass scanning. Proof-of-concept demonstrations using internal asyncio classes showed how arbitrary commands could execute during deserialization and avoid proper classification and detection by the security tool.

The vulnerabilities affect PickleScan versions up to and including 0.0.30. Patched versions are 0.0.31 and later. 

JFrog security researchers emphasize that as AI libraries like PyTorch grow increasingly complex, introducing new features and model formats faster than security tools can adapt, the widening gap between innovation and protection leaves organizations vulnerable to emerging threats. 

Organizations and developers are strongly advised to update to PickleScan version 0.0.31, adopt layered defense strategies beyond simple blacklist-based scanning, and consider migrating to safer serialization formats such as Safetensors to mitigate risks associated with Python's Pickle module.