Picklescan is an open-source utility designed to scan Python pickle files, particularly those used by PyTorch to serialize machine learning models, for malicious code by analyzing bytecode and blocking dangerous imports and operations. However, three critical vulnerabilities (CVE-2025-10155, CVE-2025-10156, CVE-2025-10157) have been discovered that allow attackers to bypass these protections. CVE-2025-10155 exploits a file extension bypass, enabling malicious pickle payloads to be disguised with common PyTorch model extensions like .pt or .bin, thus evading detection. CVE-2025-10156 leverages a CRC error in ZIP archives to disable archive scanning, allowing malicious models packaged in ZIP files to bypass checks. CVE-2025-10157 circumvents the unsafe globals check by evading the blocklist of dangerous imports, enabling arbitrary code execution upon loading the model. These vulnerabilities collectively allow attackers to embed malicious code within PyTorch models that appear safe to Picklescan, facilitating supply chain attacks where compromised models are distributed to unsuspecting users. The flaws highlight systemic challenges in securing AI model pipelines, including reliance on blocklists rather than allowlists, discrepancies between security tools and PyTorch’s file handling, and the rapid evolution of AI libraries outpacing security tooling. The vulnerabilities were responsibly disclosed on June 29, 2025, and addressed in Picklescan version 0.0.31 released on September 9, 2025. Despite patches, the incident underscores the need for continuous adaptive security measures in AI model management.

For European organizations, especially those involved in AI research, development, and deployment using PyTorch, these vulnerabilities pose a significant risk. Attackers could distribute malicious models that evade detection, leading to arbitrary code execution on systems that load these models. This could result in unauthorized access, data exfiltration, system compromise, and disruption of AI services. Supply chain attacks leveraging these flaws could affect multiple organizations downstream, amplifying the impact. Critical infrastructure and sectors relying on AI-driven decision-making or automation could face operational disruptions or data integrity issues. The complexity and novelty of these attack vectors may also hinder timely detection and response. Organizations using Picklescan as a primary defense may have a false sense of security, increasing exposure. The threat is particularly acute for entities integrating third-party or community-contributed models without stringent validation, common in collaborative AI environments prevalent in Europe.

1. Immediately update Picklescan to version 0.0.31 or later to apply the security patches addressing these vulnerabilities. 2. Implement multi-layered scanning strategies that combine allowlisting with behavioral analysis to detect novel malicious payloads beyond blocklists. 3. Restrict loading of PyTorch models to trusted sources and enforce strict provenance and integrity checks, such as cryptographic signatures. 4. Avoid loading untrusted pickle files; where possible, use alternative serialization formats like TensorFlow SavedModel or Flax that do not execute arbitrary code on load. 5. Employ sandboxing or isolated environments for loading and testing new models before deployment in production. 6. Monitor AI model supply chains for unusual activity or unexpected updates. 7. Educate developers and data scientists on the risks of untrusted model loading and secure coding practices. 8. Collaborate with AI security researchers to stay informed about emerging threats and adapt defenses accordingly. 9. Integrate continuous security testing and threat intelligence into AI development pipelines to detect and respond to evolving attack techniques.