Three critical zero-day vulnerabilities affecting PickleScan, a widely used tool for scanning Python pickle files and PyTorch models, have been uncovered by cybersecurity researchers.
The flaws, all with a CVSS rating of 9.3, show how attackers could bypass model-scanning safeguards and distribute malicious machine learning models undetected.
The JFrog Security Research Team has described the vulnerabilities in an advisory published on 2 December.
Three Critical Flaws
The first flaw, CVE-2025-10155, involved a simple file extension bypass. Researchers found that renaming a malicious pickle file to a common PyTorch extension, such as .bin or .pt, caused PickleScan to misclassify the file type and hand it off to PyTorch-specific parsing logic. Because the scanner prioritized extensions over content inspection, the mismatch resulted in a failed scan while PyTorch still loaded the file normally.
A second issue, CVE-2025-10156, exposed a deeper gap between how PickleScan and PyTorch process ZIP archives. PickleScan depended on Python’s zipfile module, which threw exceptions when encountering Cyclic Redundancy Check (CRC) errors. PyTorch ignored these mismatches, so a corrupted archive containing malicious code could load successfully. Researchers demonstrated that zeroing CRC values in a PyTorch model archive caused PickleScan to fail, creating a blind spot that attackers could exploit to upload bypassed models.
The third vulnerability, CVE-2025-10157, allowed attackers to evade PickleScan’s blacklist of dangerous imports. Instead of referencing a flagged module directly, a malicious payload could call a subclass of that module, leading the scanner to label it only as “Suspicious.” A proof-of-concept (POC) using internal asyncio classes showed how arbitrary commands could execute during deserialization while avoiding a “Dangerous” classification.
Read more on AI supply chain security: AI Hallucinations Create “Slopsquatting” Supply Chain Threat
The findings highlight systemic risks, including:
-
Reliance on a single scanning tool
-
Divergent file-handling behavior between security tools and machine learning (ML) frameworks
-
Exposure to large-scale supply chain attacks across major model hubs
The vulnerabilities were disclosed to PickleScan maintainers on June 29, 2025, and patched on September 2, 2025.
JFrog recommended updating PickleScan to version 0.0.31, adopting layered defenses and shifting to safer formats such as Safetensors.
