CVE-2025-1945

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781	Patch
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792	Exploit Vendor Advisory
https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-10 12:15

Updated : 2025-03-19 16:14

NVD link : CVE-2025-1945

Mitre link : CVE-2025-1945

CVE.ORG link : CVE-2025-1945

JSON object : View

Products Affected

mmaitre314

picklescan

CWE

CWE-345

Insufficient Verification of Data Authenticity

NVD-CWE-noinfo

{"id": "CVE-2025-1945", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "103e4ec9-0a87-450b-af77-479448ddef11", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-10T12:15:12.450", "references": [{"url": "https://github.com/mmaitre314/picklescan/commit/e58e45e0d9e091159c1554f9b04828bbb40b9781", "tags": ["Patch"], "source": "103e4ec9-0a87-450b-af77-479448ddef11"}, {"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-w8jq-xcqf-f792", "tags": ["Exploit", "Vendor Advisory"], "source": "103e4ec9-0a87-450b-af77-479448ddef11"}, {"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-1945", "tags": ["Exploit", "Third Party Advisory"], "source": "103e4ec9-0a87-450b-af77-479448ddef11"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "103e4ec9-0a87-450b-af77-479448ddef11", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model."}, {"lang": "es", "value": "Las versiones anteriores a la versi\u00f3n 0.0.23 de picklescan no detectan archivos pickle maliciosos dentro de los archivos de modelos de PyTorch cuando se modifican ciertos bits de indicadores de archivos ZIP. Al invertir bits espec\u00edficos en los encabezados de archivos ZIP, un atacante puede incrustar archivos pickle maliciosos que PickleScan no detecta, pero que se cargan correctamente con la funci\u00f3n Torch.load() de PyTorch. Esto puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario al cargar un modelo comprometido."}], "lastModified": "2025-03-19T16:14:37.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B21661AE-0228-49C7-A966-4FDA8DAF0C0B", "versionEndExcluding": "0.0.23"}], "operator": "OR"}]}], "sourceIdentifier": "103e4ec9-0a87-450b-af77-479448ddef11"}