CVE-2025-1944 — MEDIUM (CVSS 6.5) AI Security Vulnerability

Q: Is CVE-2025-1944 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1944, increasing the risk of exploitation.

Q: How to fix CVE-2025-1944?

1. PATCH: Upgrade picklescan to >= 0.0.23 in all environments (pip install 'picklescan>=0.0.23'). 2. FAIL-CLOSED: Update pipeline logic so that any scanner exception, crash, or non-zero exit code is treated as a FAIL, not as inconclusive or passing. 3. AUDIT: Review logs for historical BadZipFile errors from picklescan — these may indicate exploitation attempts or already-loaded malicious models. 4. LAYER DEFENSES: Do not rely on picklescan alone; add hash verification against known-good checksums from model providers. Consider SafeTensors format as a pickle-free alternative for model serialization. 5. NETWORK CONTROLS: Restrict outbound network from model-loading processes to limit RCE blast radius. 6. DETECTION: Alert on picklescan process crashes (exit code != 0) in your SIEM/pipeline monitoring.

CISO Take

Any pipeline using picklescan < 0.0.23 as a security gate for PyTorch model files has a blind spot: a crafted ZIP header discrepancy crashes the scanner while PyTorch loads the payload anyway, achieving silent RCE bypass. Upgrade to picklescan 0.0.23 immediately and audit any model ingestion pipeline that treats a scanner crash as a clean pass. Do not treat scanner errors as equivalent to a clean scan — fail-closed on any scanning error.

Risk Assessment

CVSS 6.5 Medium understates operational risk for AI/ML environments. The vulnerability completely nullifies a dedicated security control (picklescan) rather than directly attacking a system — meaning organizations that believe they have model scanning coverage are exposed without knowing it. Exploitability is low-complexity (no privileges, no user interaction, network-accessible in CI/CD and model hub download flows), and the downstream payload risk is arbitrary code execution via Python pickle deserialization, which is effectively critical. Real-world risk is HIGH for any org with automated model ingestion pipelines using this tool as the primary or sole defense.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.23	`0.0.23`
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →
picklescan	pip	—	No patch
401 3 dependents Pushed 2mo ago 95% patched ~12d to patch Full package profile →

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A Low

Recommended Action

6 steps

PATCH

Upgrade picklescan to >= 0.0.23 in all environments (pip install 'picklescan>=0.0.23').
FAIL-CLOSED: Update pipeline logic so that any scanner exception, crash, or non-zero exit code is treated as a FAIL, not as inconclusive or passing.
AUDIT

Review logs for historical BadZipFile errors from picklescan — these may indicate exploitation attempts or already-loaded malicious models.
LAYER DEFENSES

Do not rely on picklescan alone; add hash verification against known-good checksums from model providers. Consider SafeTensors format as a pickle-free alternative for model serialization.
NETWORK CONTROLS

Restrict outbound network from model-loading processes to limit RCE blast radius.
DETECTION

Alert on picklescan process crashes (exit code != 0) in your SIEM/pipeline monitoring.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.5 - AI supply chain security

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks and vulnerabilities

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-1944?

Any pipeline using picklescan < 0.0.23 as a security gate for PyTorch model files has a blind spot: a crafted ZIP header discrepancy crashes the scanner while PyTorch loads the payload anyway, achieving silent RCE bypass. Upgrade to picklescan 0.0.23 immediately and audit any model ingestion pipeline that treats a scanner crash as a clean pass. Do not treat scanner errors as equivalent to a clean scan — fail-closed on any scanning error.

Is CVE-2025-1944 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1944, increasing the risk of exploitation.

How to fix CVE-2025-1944?

1. PATCH: Upgrade picklescan to >= 0.0.23 in all environments (pip install 'picklescan>=0.0.23'). 2. FAIL-CLOSED: Update pipeline logic so that any scanner exception, crash, or non-zero exit code is treated as a FAIL, not as inconclusive or passing. 3. AUDIT: Review logs for historical BadZipFile errors from picklescan — these may indicate exploitation attempts or already-loaded malicious models. 4. LAYER DEFENSES: Do not rely on picklescan alone; add hash verification against known-good checksums from model providers. Consider SafeTensors format as a pickle-free alternative for model serialization. 5. NETWORK CONTROLS: Restrict outbound network from model-loading processes to limit RCE blast radius. 6. DETECTION: Alert on picklescan process crashes (exit code != 0) in your SIEM/pipeline monitoring.

What systems are affected by CVE-2025-1944?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps CI/CD pipelines, model registries.

What is the CVSS score for CVE-2025-1944?

CVE-2025-1944 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

Technical Details

NVD Description

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

Exploitation Scenario

An adversary targeting an ML engineering team identifies that the org downloads and scans community PyTorch models via an automated pipeline before loading them for fine-tuning. The adversary creates a .pt model file containing a malicious pickle payload that, when deserialized by PyTorch's torch.load(), spawns a reverse shell. They manipulate the ZIP archive so the filename in the local file header differs from the central directory — a format the ZIP spec prohibits but PyTorch's internal zipfile reader tolerates. When the pipeline runs picklescan against this file, picklescan raises BadZipFile and exits with an error. The pipeline, misconfigured to treat scan errors as non-blocking warnings, proceeds to invoke torch.load() on the model. PyTorch's permissive parser loads it successfully, deserializes the pickle payload, and executes the adversary's code in the context of the training or serving process — which typically runs with broad filesystem access and GPU/cloud credentials.