Headline
Picklescan Vulnerabilities Could Let Hackers Bypass AI Security Checks
Sonatype researchers uncover critical vulnerabilities in picklescan. Learn how these flaws impact AI model security, Hugging Face, and…
Sonatype researchers uncover critical vulnerabilities in picklescan. Learn how these flaws impact AI model security, Hugging Face, and best practices for developers.
Cybersecurity researchers at Sonatype have identified several vulnerabilities within picklescan, a tool used for examining Python pickle files for malicious code. These files, commonly used for storing and retrieving machine learning models, pose a security risk due to their ability to execute arbitrary code during the process of retrieving the stored data.
According to Sonatype’s analysis, shared with Hackread.com, in total four vulnerabilities were found:
CVE-2025-1716– allows attackers to bypass the tool’s checks and execute harmful code;
CVE-2025-1889– failure to detect hidden malicious files due to its reliance on file extensions;
CVE-2025-1944– can be exploited by manipulating ZIP archive filenames to cause the tool to malfunction;
CVE-2025-1945– failure to detect malicious files when certain bits within ZIP archives are altered.
It is worth noting that platforms such as Hugging Face utilize picklescan as part of their security measures to identify malicious AI models. The discovered vulnerabilities could allow malicious actors to bypass these security checks, thereby posing a threat to developers who rely on open-source AI models, as they can lead to “arbitrary code execution,” researchers noted. This means, an attacker could possibly take complete control of a system.
“Given the role of picklescan within the wider AI/ML hygiene posture (e.g. when used with PyTorch), the vulnerabilities discovered by Sonatype could be leveraged by threat actors to bypass malware scanning (at least in part) and target devs leveraging open source AI,” researchers explained in the blog post.
Good news is that picklescan maintainer showed a strong commitment to security by promptly addressing vulnerabilities, releasing version 0.0.23, which patched flaws, minimizing the opportunity for malicious actors to exploit them.
Sonatype’s chief product officer, Mitchell Johnson, urges developers to avoid using pickle files from untrusted sources whenever possible, and instead utilize safer file formats. If pickle files must be used, they should only be loaded in secure, controlled environments. Moreover, it is important to verify the integrity of AI models through cryptographic signatures and checksums, and implementing multi-layered security scanning.
The findings highlight the growing need for advanced, reliable security measures in AI/ML pipelines. To mitigate the risks, organizations should adopt practices such as utilizing safer file formats, employing multiple security scanning tools, and monitoring for suspicious behaviour when loading pickle files.
Related news
### Summary PickleScan is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection. ### Details Python's built-in zipfile module performs strict integrity checks when extracting ZIP files. If a filename stored in the ZIP header does not match the filename in the directory listing, zipfile.ZipFile.open() raises a BadZipFile error. PickleScan relies on zipfile to extract and inspect the contents of PyTorch model archives, making it susceptible to this manipulation. PyTorch, on the other hand, has a more tolerant ZIP handling mechanism that ignores these discrepancies, allowing the model to load even when PickleSca...
### Summary PickleScan fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model. ### Details PickleScan relies on Python’s zipfile module to extract and scan files within ZIP-based model archives. However, certain flag bits in ZIP headers affect how files are interpreted, and some of these bits cause PickleScan to fail while leaving PyTorch’s loading mechanism unaffected. By modifying the flag_bits field in the ZIP file entry, an attacker can: - Embed a malicious pickle file (bad_file.pkl) in a PyTorch model archive. - Flip specific bits (e.g., 0x1, 0x20, 0x40) in the ZIP metadata. - Prevent PickleScan from scanning the archive due to errors raised by zipf...
### Summary An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited to run pip install and fetch a malicious package, enabling remote code execution (RCE) upon package installation. ### Details Pickle’s deserialization process allows execution of arbitrary functions via the __reduce__ method. While Picklescan is designed to detect such exploits, this attack evades detection by leveraging pip.main() as the callable function. Since pip is a legitimate package operation, it may not raise red flags in security scans. The payload executes the following steps: 1. During unpickling, it calls pip.main() to install a malicious PyPI package. 2. The installed package runs arbitrary code via setup.py, entry_points, or post-install hooks. 3. Execution is silent, with minimal logging to avoid detection. ### PoC Step 1: Create the Malicious Package...