CVE-2025-1945

CVE-2025-1945 affects picklescan versions before 0.0.23, a tool designed to scan Python pickle files for malicious content. The vulnerability stems from picklescan's failure to detect malicious pickle files embedded inside PyTorch model archives when attackers flip specific ZIP file flag bits in the headers. These modified archives evade detection by picklescan but are still successfully loaded by PyTorch's torch.load() function, enabling arbitrary code execution upon model loading. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-345.

An attacker can exploit this vulnerability by crafting a compromised PyTorch model archive with hidden malicious pickle data that bypasses picklescan scanning. Exploitation requires no authentication or privileges and can occur remotely over the network with low attack complexity and no user interaction beyond the victim loading the model. Successful attacks grant attackers arbitrary code execution on the victim's system, potentially compromising entire environments that process untrusted PyTorch models.

The picklescan project addresses this in version 0.0.23 via a GitHub commit (e58e45e0d9e091159c1554f9b04828bbb40b9781) that improves ZIP header flag inspection. Practitioners should upgrade to this version or later, as recommended in the project's security advisory (GHSA-w8jq-xcqf-f792) and Sonatype's advisory on CVE-2025-1945.

This vulnerability carries relevance to AI/ML pipelines, given PyTorch's prevalence in model serialization and the risk of supply chain compromise in shared model repositories.