JFrog Safety Analysis has uncovered three vital zero-day vulnerabilities in PickleScan, a widely-adopted industry-standard software for scanning machine studying fashions and detecting malicious content material.
These vulnerabilities would allow attackers to fully bypass PickleScan’s malware detection mechanisms, probably facilitating large-scale provide chain assaults by distributing malicious ML fashions containing undetectable code.
The discoveries underscore a elementary weak spot within the AI safety ecosystem’s reliance on a single safety answer.
PyTorch’s reputation in machine studying comes with a major safety burden. The library hosts over 200,000 publicly obtainable fashions on platforms like Hugging Face, but it depends on Python’s “pickle” serialization format by default.
Whereas pickle’s flexibility permits for reconstructing any Python object, this identical attribute creates a vital vulnerability: pickle recordsdata can embed and execute arbitrary Python code throughout deserialization.
When customers load an untrusted PyTorch mannequin, they danger executing malicious code able to exfiltrating delicate information, putting in backdoors, or compromising complete methods.
This menace isn’t theoretical malicious fashions have already been found on Hugging Face, focusing on unsuspecting information scientists with silent backdoors.
PickleScan emerged because the {industry}’s frontline protection, parsing pickle bytecode to detect harmful operations earlier than execution.
The software analyzes recordsdata on the bytecode stage, cross-references outcomes in opposition to a blocklist of hazardous imports, and helps a number of PyTorch codecs.
Nonetheless, its safety mannequin rests on a vital assumption: PickleScan should interpret recordsdata identically to how PyTorch hundreds them. Any divergence in parsing creates exploitable safety gaps.
Three Essential Vulnerabilities
The primary vulnerability (CVE-2025-10155, CVSS 9.3) exploits PickleScan’s file kind detection logic.
By renaming a malicious pickle file with a PyTorch-related extension like .bin or .pt, attackers could cause PickleScan’s PyTorch-specific scanner to fail whereas PyTorch itself efficiently hundreds the file by analyzing its content material somewhat than its extension. The malicious payload executes undetected.
The second vulnerability (CVE-2025-10156, CVSS 9.3) includes CRC (Cyclic Redundancy Verify) errors in ZIP archives.
PickleScan fails fully when encountering CRC mismatches, elevating exceptions that halt scanning.
Nonetheless, PyTorch’s mannequin loading usually bypasses these CRC checks, making a harmful discrepancy the place PickleScan marks recordsdata as unscanned whereas PyTorch hundreds and executes their contents efficiently.
The third vulnerability (CVE-2025-10157, CVSS 9.3) reveals that PickleScan’s unsafe globals test may be circumvented through the use of subclasses of harmful imports somewhat than precise module names.
As an example, importing inner lessons from asyncio a blacklisted library bypasses the test fully, permitting attackers to inject malicious payloads whereas PickleScan categorizes the menace as merely “suspicious” somewhat than “harmful.”
Systemic Safety Implications
These vulnerabilities expose deeper issues in AI safety infrastructure. The ecosystem’s single level of failure round PickleScan implies that when the software fails, complete safety architectures collapse.
Organizations counting on Hugging Face, which integrates PickleScan for scanning thousands and thousands of uploaded fashions, face explicit danger.
The vulnerabilities reveal how divergences between safety instruments and goal purposes create exploitable gaps a vital lesson for AI safety professionals.
Organizations ought to instantly replace to PickleScan model 0.0.31, which addresses all three vulnerabilities.
Nonetheless, this patch alone is inadequate. Implementing layered defenses together with sandboxed environments and safe mannequin repository proxies like JFrog Artifactory offers extra safety.
Organizations ought to prioritize migrating to safer ML mannequin codecs corresponding to Safetensors whereas implementing automated elimination of failed safety scans.
The AI safety neighborhood should acknowledge that no single software can assure complete safety and that defense-in-depth methods stay important on this evolving menace panorama.
Comply with us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most popular Supply in Google.
