Picklescan Bugs Allow Malicious PyTorch Models to Evade Scans and Execute Code

Picklescan Bugs Allow Malicious PyTorch Models to Evade Scans and Execute Code

Three critical Picklescan vulnerabilities (CVE-2025-10155, CVE-2025-10156, CVE-2025-10157) allow malicious PyTorch models to bypass scans and execute arbitrary code, with CVSS scores up to 9.3. Security researcher David Cohen warns these flaws could enable large-scale supply chain attacks via undetectable malicious models.

Why This Matters

Picklescan relies on a blocklist of known hazardous imports to detect malicious pickle files, but this approach fails to adapt to novel attack vectors. Attackers can exploit gaps in the tool’s logic to bypass protections, risking data exfiltration or model tampering. The vulnerabilities highlight a systemic gap between AI innovation and security tooling, leaving organizations exposed to evolving threats.

Key Insights

• “8-hour App Engine outage, 2012” (example placeholder removed; actual insight: “Three CVEs (CVSS 9.3) in Picklescan allow bypassing malware detection via file extensions, CRC errors, or unsafe globals”)
• “Sagas over ACID for e-commerce” (example placeholder removed; actual insight: “Attackers can embed malicious code in PyTorch models using .bin/.pt extensions, evading detection by Picklescan’s blocklist”)
• “Temporal used by Stripe, Coinbase” (example placeholder removed; actual insight: “SecDim demonstrated DNS-based data exfiltration using linecache and ssl modules, undetected by Picklescan 0.0.24”)

Practical Applications

• Use Case: AI model supply chain attacks leveraging Picklescan’s bypasses to inject backdoors into PyTorch models
• Pitfall: Relying on static blocklists without continuous updates, enabling attackers to exploit unknown vectors

References:

• https://thehackernews.com/2025/12/picklescan-bugs-allow-malicious-pytorch.html