CVE-2025-1944: picklescan ZIP spoof lets malicious

Q: Is CVE-2025-1944 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1944, increasing the risk of exploitation.

Q: How to fix CVE-2025-1944?

1. PATCH: Upgrade picklescan to >= 0.0.23 in all environments (pip install 'picklescan>=0.0.23'). 2. FAIL-CLOSED: Update pipeline logic so that any scanner exception, crash, or non-zero exit code is treated as a FAIL, not as inconclusive or passing. 3. AUDIT: Review logs for historical BadZipFile errors from picklescan — these may indicate exploitation attempts or already-loaded malicious models. 4. LAYER DEFENSES: Do not rely on picklescan alone; add hash verification against known-good checksums from model providers. Consider SafeTensors format as a pickle-free alternative for model serialization. 5. NETWORK CONTROLS: Restrict outbound network from model-loading processes to limit RCE blast radius. 6. DETECTION: Alert on picklescan process crashes (exit code != 0) in your SIEM/pipeline monitoring.

CISO Take

Any pipeline using picklescan < 0.0.23 as a security gate for PyTorch model files has a blind spot: a crafted ZIP header discrepancy crashes the scanner while PyTorch loads the payload anyway, achieving silent RCE bypass. Upgrade to picklescan 0.0.23 immediately and audit any model ingestion pipeline that treats a scanner crash as a clean pass. Do not treat scanner errors as equivalent to a clean scan — fail-closed on any scanning error.

What is the risk?

CVSS 6.5 Medium understates operational risk for AI/ML environments. The vulnerability completely nullifies a dedicated security control (picklescan) rather than directly attacking a system — meaning organizations that believe they have model scanning coverage are exposed without knowing it. Exploitability is low-complexity (no privileges, no user interaction, network-accessible in CI/CD and model hub download flows), and the downstream payload risk is arbitrary code execution via Python pickle deserialization, which is effectively critical. Real-world risk is HIGH for any org with automated model ingestion pipelines using this tool as the primary or sole defense.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
picklescan	pip	< 0.0.23	`0.0.23`
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →
picklescan	pip	—	No patch
413 3 dependents Pushed 1mo ago 69% patched ~12d to patch Full package profile →

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 22% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A Low

What should I do?

6 steps

PATCH

Upgrade picklescan to >= 0.0.23 in all environments (pip install 'picklescan>=0.0.23').
FAIL-CLOSED: Update pipeline logic so that any scanner exception, crash, or non-zero exit code is treated as a FAIL, not as inconclusive or passing.
AUDIT

Review logs for historical BadZipFile errors from picklescan — these may indicate exploitation attempts or already-loaded malicious models.
LAYER DEFENSES

Do not rely on picklescan alone; add hash verification against known-good checksums from model providers. Consider SafeTensors format as a pickle-free alternative for model serialization.
NETWORK CONTROLS

Restrict outbound network from model-loading processes to limit RCE blast radius.
DETECTION

Alert on picklescan process crashes (exit code != 0) in your SIEM/pipeline monitoring.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0074 - Masquerading AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.5 - AI supply chain security

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks and vulnerabilities

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-1944?

Any pipeline using picklescan < 0.0.23 as a security gate for PyTorch model files has a blind spot: a crafted ZIP header discrepancy crashes the scanner while PyTorch loads the payload anyway, achieving silent RCE bypass. Upgrade to picklescan 0.0.23 immediately and audit any model ingestion pipeline that treats a scanner crash as a clean pass. Do not treat scanner errors as equivalent to a clean scan — fail-closed on any scanning error.

Is CVE-2025-1944 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1944, increasing the risk of exploitation.

How to fix CVE-2025-1944?

1. PATCH: Upgrade picklescan to >= 0.0.23 in all environments (pip install 'picklescan>=0.0.23'). 2. FAIL-CLOSED: Update pipeline logic so that any scanner exception, crash, or non-zero exit code is treated as a FAIL, not as inconclusive or passing. 3. AUDIT: Review logs for historical BadZipFile errors from picklescan — these may indicate exploitation attempts or already-loaded malicious models. 4. LAYER DEFENSES: Do not rely on picklescan alone; add hash verification against known-good checksums from model providers. Consider SafeTensors format as a pickle-free alternative for model serialization. 5. NETWORK CONTROLS: Restrict outbound network from model-loading processes to limit RCE blast radius. 6. DETECTION: Alert on picklescan process crashes (exit code != 0) in your SIEM/pipeline monitoring.

What systems are affected by CVE-2025-1944?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps CI/CD pipelines, model registries.

What is the CVSS score for CVE-2025-1944?

CVE-2025-1944 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.31%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps CI/CD pipelinesmodel registries

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0074 Masquerading

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

Exploitation Scenario

An adversary targeting an ML engineering team identifies that the org downloads and scans community PyTorch models via an automated pipeline before loading them for fine-tuning. The adversary creates a .pt model file containing a malicious pickle payload that, when deserialized by PyTorch's torch.load(), spawns a reverse shell. They manipulate the ZIP archive so the filename in the local file header differs from the central directory — a format the ZIP spec prohibits but PyTorch's internal zipfile reader tolerates. When the pipeline runs picklescan against this file, picklescan raises BadZipFile and exits with an error. The pipeline, misconfigured to treat scan errors as non-blocking warnings, proceeds to invoke torch.load() on the model. PyTorch's permissive parser loads it successfully, deserializes the pickle payload, and executes the adversary's code in the context of the training or serving process — which typically runs with broad filesystem access and GPU/cloud credentials.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary CWE-345 Insufficient Verification of Data Authenticity

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.