CVE-2025-10155: Bypassing picklescan Control with Remote Code Execution

ISGroup Cybersecurity

Product Definition: Picklescan is a security tool designed to scan Python pickle files for malicious code before they are deserialized. It is widely used in Machine Learning (ML) and MLOps environments to mitigate the risk of Remote Code Execution (RCE) when loading models or data from untrusted sources. Its primary function is to act as a security barrier within the ML supply chain.

Risk Profile: This vulnerability allows for a complete bypass of the tool’s scanning capabilities, posing a high risk of unauthenticated Remote Code Execution. An attacker can craft a malicious file that a vulnerable version of Picklescan will incorrectly classify as safe. Any downstream application that trusts this result and loads the file will be compromised. The vulnerability undermines the tool’s core security guarantee.

Threat Intelligence: A public proof-of-concept exploit is available. However, there are currently no known cases of active exploitation of this vulnerability. It is not present in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Exposure Surface: Organizations are at risk if they use Picklescan versions up to and including 0.0.30 in automated workflows, such as CI/CD pipelines for model validation or public model ingestion platforms. Individual developers and data scientists who rely on the tool to verify third-party models are also exposed.

Productpicklescan
Date2025-12-04 12:14:50

Technical Summary

Root Cause Analysis: The vulnerability is a CWE-20: Improper Input Validation issue in the file parsing logic. Picklescan modifies the scan severity level based on the file extension. When it encounters a file with an extension associated with PyTorch (e.g., .pt, .pth), it does not perform a deep inspection for dangerous pickle opcodes. This allows a standard malicious pickle payload, which would normally be detected, to completely evade analysis if encapsulated in a file with one of these extensions.

Step-by-Step Attack Chain:

  1. Payload Creation: An attacker creates a malicious payload using standard Python pickle serialization techniques. This typically involves using the __reduce__ method to call a dangerous function, such as os.system or subprocess.run.
  2. Evasion: The attacker saves the malicious pickle file with a PyTorch-associated extension, for example, malicious_model.pt.
  3. Scan Bypass: The vulnerable version of Picklescan is invoked to scan malicious_model.pt. Due to the improper validation logic linked to the .pt extension, the tool fails to identify the dangerous opcodes and reports the file as safe.
  4. Execution: A downstream application or developer, trusting the scan result, loads the file using a standard function like pickle.load(). The deserialization process executes the embedded payload, triggering Remote Code Execution on the host system with the application’s privileges.

Conceptual Code Logic: The following example illustrates the dangerous pattern, but it is not a direct exploit. The vulnerability lies in the fact that Picklescan fails to detect such structures in .pt files.

# Conceptual example of a Malicious Pickle object
# An attacker inserts this structure into a .pt file to bypass the scanner.
# This code is for illustrative purposes only.

import os

class Exploit:
    def __reduce__(self):
        # This function is called automatically during deserialization.
        # An attacker would insert a command to be executed on the target system.
        cmd = ("echo 'Code execution achieved' > /tmp/pwned")
        return (os.system, (cmd,))

# When a program calls pickle.load() on a file containing this serialized object,
# os.system(cmd) is executed.

Affected Versions:

  • Vulnerable: Picklescan versions up to and including 0.0.30
  • Fixed: The fix is available starting from Picklescan version 0.0.31

Recommendations

  • Immediate Update: Update the mmaitre314/picklescan tool to version 0.0.31 or later to apply the security fix.
  • Mitigations:
    • If you cannot patch immediately, reconfigure security workflows to reject all files with .pt or .pth extensions, or treat them as inherently unsafe regardless of the scan result.
    • Switch to more secure model serialization formats that do not carry execution risks, such as safetensors.

  • Hunting and Monitoring:

    • Retroactively scan all existing .pt and .pth files in model repositories using the updated version of Picklescan to identify previously undetected malicious models.
    • Monitor logs of applications that deserialize model files. Look for anomalous child processes launched (e.g., sh, bash, curl, powershell) by the application process.
    • Review network logs for suspicious outbound connections originating from hosts handling model loading and inference.

  • Incident Response:

    • If a compromise is suspected, immediately isolate the affected host from the network to prevent lateral movement.
    • Preserve the suspicious model file and relevant application/system logs for forensic analysis.
    • Assume that all credentials, keys, and sensitive data accessible by the compromised host have been exfiltrated and initiate rotation and invalidation procedures.

  • Defense in Depth:

    • Perform model loading and data processing in sandboxed or containerized environments with minimal privileges and no network access.
    • Implement strict network segmentation to ensure that even in the event of RCE, the attacker’s reach is contained.

[Callforaction-THREAT-Footer]