CVE-2025-1944 identifies a vulnerability in the mmaitre314 picklescan tool, specifically versions before 0.0.23, with the reported affected version being 0.0.1. Picklescan is designed to scan PyTorch model archives, which are typically packaged as ZIP files. The vulnerability stems from insufficient verification of the authenticity of ZIP archive data (CWE-345). An attacker can craft a malicious ZIP archive by manipulating the filename in the ZIP header while preserving the original filename in the directory listing. This manipulation causes picklescan to raise a BadZipFile error and crash during extraction and scanning. However, PyTorch’s ZIP implementation is more tolerant and continues to load the model despite the malformed archive. This discrepancy allows malicious payloads embedded within the model archive to bypass picklescan’s scanning and detection mechanisms. The vulnerability does not require authentication or privileges but does require user interaction to load the compromised model. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability at low to limited scope. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability poses a risk to environments that rely on picklescan to validate PyTorch models before deployment, potentially allowing attackers to execute arbitrary code or malicious payloads via compromised models.

For European organizations, this vulnerability could undermine the security of machine learning workflows that incorporate PyTorch models scanned by picklescan. Attackers could bypass detection and introduce malicious code into AI/ML pipelines, potentially leading to unauthorized data access, model manipulation, or disruption of AI services. This can affect confidentiality by exposing sensitive data processed by models, integrity by corrupting model outputs or training data, and availability by causing crashes or denial of service in AI systems. Industries relying heavily on AI, such as finance, healthcare, automotive, and critical infrastructure, may face operational and reputational risks. The medium CVSS score reflects moderate impact, but the lack of authentication and ease of exploitation via crafted archives increases the threat surface. Since no known exploits are reported, the immediate risk is moderate but could escalate if weaponized. Organizations using picklescan in their ML security toolchain must be vigilant to prevent supply chain attacks or adversarial model insertions.

1. Immediately upgrade picklescan to version 0.0.23 or later once available, as the vulnerability affects versions before this. 2. Until a patch is released, implement additional validation layers for PyTorch model archives, such as verifying archive integrity with trusted cryptographic hashes or signatures before scanning. 3. Employ sandboxing or isolated environments to load and test PyTorch models before deployment to contain potential malicious payloads. 4. Monitor AI/ML pipelines for anomalous behavior or crashes that could indicate exploitation attempts. 5. Educate developers and data scientists about the risks of loading untrusted or unauthenticated PyTorch models. 6. Consider alternative scanning tools or manual code review for critical models if picklescan cannot be updated promptly. 7. Integrate multi-factor verification for model provenance and supply chain security to reduce the risk of malicious model insertion. 8. Collaborate with PyTorch and picklescan maintainers to track vulnerability disclosures and patches.