Imagine this: Your AI models, the very backbone of your innovative projects, are silently being infiltrated. That's the chilling reality uncovered by recent critical vulnerabilities in PickleScan, a tool designed to protect us from malicious code hidden within AI models. This is a wake-up call for everyone involved in AI.
Cybersecurity researchers have discovered three critical 'zero-day' vulnerabilities in PickleScan, a widely used tool for scanning Python pickle files and PyTorch models. These flaws, each carrying a severity rating of 9.3 on the Common Vulnerability Scoring System (CVSS), expose a significant weakness: attackers can bypass model-scanning safeguards and stealthily introduce malicious machine-learning models into your systems.
These findings, detailed in an advisory published on December 2, 2025, by the JFrog Security Research Team, reveal how easily attackers can exploit these vulnerabilities. Let's break down each of these flaws:
CVE-2025-10155: The File Extension Deception. The first vulnerability lies in a simple trick. Researchers found that renaming a malicious pickle file to a common PyTorch extension, like ".bin" or ".pt", caused PickleScan to misidentify the file type. Because the scanner prioritized extensions over the actual content, the file was then passed to PyTorch-specific parsing logic, which, in turn, loaded the malicious file without proper security checks.
CVE-2025-10156: The ZIP Archive Blind Spot. The second issue exposes a deeper problem in how PickleScan and PyTorch handle ZIP archives. PickleScan relies on Python's
zipfilemodule, which throws errors when encountering Cyclic Redundancy Check (CRC) errors. However, PyTorch ignores these mismatches. This means a corrupted archive containing malicious code could be loaded successfully. Researchers demonstrated that manipulating CRC values in a PyTorch model archive caused PickleScan to fail, creating a significant blind spot for attackers.CVE-2025-10157: The Blacklist Bypass. The third vulnerability allows attackers to evade PickleScan's blacklist of dangerous imports. Instead of directly referencing a flagged module, a malicious payload could call a subclass of that module, tricking the scanner into only labeling it as "Suspicious." A proof-of-concept (POC) using internal
asyncioclasses showed how arbitrary commands could be executed during deserialization while avoiding a "Dangerous" classification.
But here's where it gets controversial... These vulnerabilities highlight several systemic risks:
- Over-reliance on a single scanning tool: Putting all your trust in one tool creates a single point of failure.
- Divergent file-handling behavior: The differences between security tools and machine learning frameworks create gaps that attackers can exploit.
- Exposure to large-scale supply chain attacks: Major model hubs could become targets for widespread attacks.
The vulnerabilities were responsibly disclosed to PickleScan maintainers on June 29, 2025, and subsequently patched on September 2, 2025. JFrog recommends updating PickleScan to version 0.0.31, implementing layered defenses, and shifting to safer formats like Safetensors.
And this is the part most people miss... The implications of these vulnerabilities extend beyond the immediate technical details. They underscore the need for a comprehensive approach to AI supply chain security. This means not only patching tools but also adopting more secure model formats and implementing robust security practices throughout the entire AI lifecycle.
What are your thoughts? Do you think these vulnerabilities are a sign of a larger problem in AI security? Share your opinion in the comments below!
