Critical Vulnerabilities in Picklescan: A Cybersecurity Alert

In this video, we dive into the recently disclosed vulnerabilities in the open-source utility, Picklescan, which have the potential to allow malicious actors to execute arbitrary code through untrusted PyTorch models. These critical flaws were revealed on December 3, 2025, and they highlight significant risks associated with the serialization format used in machine learning.

*What you’ll learn:* We will explore the nature of these vulnerabilities, the timeline of their discovery, and the implications for organizations using machine learning models. Additionally, we will provide actionable recommendations on how to safeguard against these threats.

Picklescan, developed by Matthieu Maitre, is designed to parse Python pickle files and detect suspicious imports or function calls before execution. However, the recent findings by JFrog reveal that three critical security flaws could enable attackers to bypass these protections. The vulnerabilities are as follows:

1. **CVE-2025-10155**: A file extension bypass vulnerability that can undermine the scanner by allowing the loading of models with standard PyTorch-related extensions like .bin or .pt.
2. **CVE-2025-10156**: A bypass vulnerability that disables ZIP archive scanning through a Cyclic Redundancy Check (CRC) error.
3. **CVE-2025-10157**: A vulnerability that undermines the unsafe globals check, allowing arbitrary code execution by circumventing the blocklist of dangerous imports.

The exploitation of these flaws could lead to large-scale supply chain attacks, where malicious machine learning models are distributed, concealing undetectable harmful code. Security researcher David Cohen emphasizes that these vulnerabilities could facilitate significant breaches, allowing attackers to execute malicious payloads hidden within legitimate-looking files.

Following the responsible disclosure of these vulnerabilities on June 29, 2025, Picklescan released version 0.0.31 on September 9, addressing the identified issues. However, this incident raises broader concerns about the reliance on single scanning tools and the discrepancies in file-handling behaviors between security tools and frameworks like PyTorch.

Organizations must take proactive measures to mitigate these risks. This includes ensuring that only trusted models are loaded, regularly updating security tools, and adopting a multi-layered security approach that can adapt to the rapid evolution of AI technologies. As the landscape of machine learning continues to grow more complex, the gap between innovation and security protection widens, leaving many organizations vulnerable to emerging threats.

In conclusion, the vulnerabilities found in Picklescan serve as a critical reminder of the importance of robust security measures in the rapidly evolving field of machine learning. By staying informed and vigilant, organizations can better protect themselves against potential cyber threats.