CVE-2025-10155: Security bypass of picklescan via incorrect file extension classification leading to arbitrary code execution

ISGroup Cybersecurity

The picklescan software is a popular open-source tool designed to detect security vulnerabilities in machine learning (ML) models saved in the pickle format. It is widely used in MLOps pipelines and by data science teams to verify models from untrusted sources, preventing attacks that exploit the deserialization of malicious data. Business-critical applications, including production services and AI-based analytics, rely on this scan to protect against supply chain attacks targeting ML artifacts.

The impact of this vulnerability is high, as it allows for the complete bypass of the scanner’s security checks, resulting in the possibility of unauthenticated remote code execution. An attacker can disguise a malicious pickle file as a safe PyTorch model, deceiving the scanner. When a downstream application loads the “verified” model, the attacker’s code is executed on the host system. This vulnerability affects any organization using picklescan in its ML pipelines to analyze models from external or untrusted repositories. Although there are currently no confirmed reports of active exploitation, a public exploit is available and the attack complexity is low, indicating a high probability of future exploitation.

Productpicklescan
Date2025-12-05 00:36:43

Technical Summary

The vulnerability is a CWE-20: Improper Input Validation flaw in picklescan‘s file type identification logic. The scanner incorrectly prioritizes the file extension over content analysis to determine the file type, allowing an attacker to evade security checks.

Technical Analysis:

  1. File Camouflage: An attacker creates a standard but malicious pickle file containing dangerous opcodes designed to execute arbitrary commands (e.g., using __reduce__ with os.system).
  2. Evasion via Extension: The attacker saves the malicious pickle payload with a typical PyTorch extension, such as .pt or .pth.
  3. Incorrect Identification: When picklescan analyzes the file, its logic checks the extension first. It incorrectly identifies the file as a “safe” PyTorch model, a file type exempt from standard pickle opcode scanning.
  4. Bypassed Scan: Because the file is misclassified, picklescan skips the necessary security scan that would have otherwise detected the malicious opcodes present in the file. It then reports the file as safe.
  5. Code Execution: A downstream application or an ML engineer, trusting the scan result, loads the malicious file using a standard deserialization library such as pickle.load(). This action triggers the execution of the embedded payload, leading to arbitrary code execution with the permissions of the user running the application.

Affected Versions:

  • Vulnerable: picklescan versions up to and including 0.0.30.
  • Fixed: A fix has been released in subsequent versions. Users must upgrade to the latest available version.

Recommendations

  • Apply the patch immediately: Update picklescan to the latest available version, which contains the fix for this vulnerability. Ensure that all instances within MLOps and security pipelines are updated.
  • Mitigations:
    • If you cannot apply the patch immediately, treat all scan results from vulnerable versions of picklescan with extreme caution, particularly for files with PyTorch extensions from untrusted sources.
    • Implement isolation (sandboxing) for all inference and model analysis environments. Use technologies such as containers (e.g., Docker) or micro-VMs to isolate the model loading process from the host system and the wider network.

  • Hunting and Monitoring:

    • Audit historical scan logs to identify all files with .pt or .pth extensions processed by vulnerable versions of picklescan.
    • Examine system and application logs on servers dedicated to model loading for suspicious activity, such as unexpected network connections or child processes launched by the application responsible for deserialization.
    • Monitor write or modification events on files with extensions like .pt and .pth in unusual directories.

  • Incident Response:

    • If a compromise is suspected, immediately isolate the affected host from the network to prevent lateral movement.
    • Preserve the malicious model file and system logs for forensic analysis.
    • Assume that all data or credentials accessible by the compromised process have been exfiltrated.

  • Defense in Depth:

    • Apply the principle of least privilege. Run model-loading applications with the minimum permissions necessary for their function.
    • Implement network segmentation to limit outbound connections from servers processing ML models, reducing the possibility for an attacker to exfiltrate data or establish a command-and-control channel.

[Callforaction-THREAT-Footer]