CVE-2025-1889

CriticalPublic PoC

Published: 03 March 2025

Published

03 March 2025

Modified

29 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

Security Summary

CVE-2025-1889 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting picklescan versions prior to 0.0.22. Picklescan is a vulnerability scanning tool that detects unsafe pickle usage in Python files, but it only considers files with standard pickle extensions (such as .pkl or .pickle) within its scan scope. This limitation allows malicious pickle files with non-standard extensions to evade detection, leading to false negatives where unsafe files appear secure. The issue is linked to CWE-646 (Reliance on File Name or Extension) and NVD-CWE-noinfo.

An attacker can exploit this vulnerability by crafting a malicious Python model or package that incorporates a dangerous pickle file renamed with a non-standard extension. A security practitioner or developer using the vulnerable picklescan to scan a repository or artifact containing this malicious file would receive a clean bill of health, potentially leading to the file being trusted and loaded. Upon deserialization, the pickle file could execute arbitrary code, resulting in high confidentiality, integrity, and availability impacts remotely with no authentication or user interaction required.

The GitHub security advisory (GHSA-655q-fx9r-782v) and Sonatype advisory detail mitigation steps, primarily recommending an upgrade to picklescan 0.0.22 or later, which expands the scan scope to include non-standard pickle extensions and prevents such bypasses. Practitioners should rescan existing models or dependencies after patching to identify previously missed threats.

Details

CWE(s): CWE-646NVD-CWE-noinfo

Affected Products

mmaitre314

picklescan

≤ 0.0.22

AI Security Analysis

AI Category: Other Platforms
Risk Domain: Supply Chain and Deployment
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Picklescan is a security scanning tool specifically designed to detect vulnerabilities in Python pickle files, which are commonly used for serializing machine learning models (e.g., in PyTorch via torch.load()). The vulnerability enables bypassing scans for malicious pickles embedded in ML models with non-standard extensions, directly impacting AI/ML model security.

MITRE ATT&CK Enterprise Techniques

T1036.008 Masquerade File Type Stealth

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents.

attack.mitre.org →

T1027.009 Embedded Payloads Stealth

Adversaries may embed payloads within other files to conceal malicious content from defenses.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

Vulnerability allows bypassing picklescan detection of malicious pickle deserialization payloads via non-standard file extensions or undetected unsafe globals (e.g., pip.main), enabling file type masquerading, embedding payloads in archives like PyTorch models, and exploitation of security scanning tools for defense evasion leading to RCE.

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-655q-fx9r-782v
Exploit, Third Party Advisory · 103e4ec9-0a87-450b-af77-479448ddef11
https://www.sonatype.com/security-advisories/cve-2025-1889
103e4ec9-0a87-450b-af77-479448ddef11