Three critical security flaws have been disclosed in Picklescan, a widely used open-source scanner for Python pickle files, that researchers said could allow attackers to execute arbitrary code by loading untrusted PyTorch models.
Picklescan was developed by Matthieu Maitre and inspects pickle files at the bytecode level, using a blocklist of hazardous imports and operations to flag suspicious behavior. Security guidance for model serialization notes that Python pickle files can be risky when models are loaded from untrusted sources; relevant documentation for model saving and loading is available from PyTorch and a wider discussion of pickle risk is on Hugging Face.
JFrog and others reported three bypass vulnerabilities in Picklescan: CVE-2025-10155 (file extension bypass, CVSS score: 9.3/7.8), CVE-2025-10156 (ZIP scanning bypass via CRC error, CVSS score: 9.3/7.5) and CVE-2025-10157 (unsafe globals check bypass leading to arbitrary code execution, CVSS score: 9.3/8.3). The vulnerabilities could be used to hide malicious pickle payloads in common PyTorch extensions, corrupt ZIP archives to avoid inspection, or craft models that evade the tool’s blocklist.
JFrog researcher David Cohen said the flaws enable evasion of Picklescan detection and could facilitate large-scale supply chain attacks by distributing malicious models; details are published on JFrog’s blog and advisories are available from the project. The three issues were reported under coordinated disclosure on June 29, 2025 and addressed in Picklescan version 0.0.31, released on Sept. 9.
Separately, security teams SecDim and DCODX described a related high-severity issue, CVE-2025-46417, and a project advisory that shows how malicious pickle files can be abused to exfiltrate data via DNS. Researchers demonstrated a scenario that repurposes standard modules to read local files and transmit content to an attacker-controlled domain.
Researchers said the findings highlight systemic limits of blocklist-based scanners as AI libraries and model formats evolve faster than detection rules can be updated. JFrog and other analysts called for more adaptive, research-driven protections for model repositories and advised organizations to apply available fixes.