Critical Picklescan Bugs Expose PyTorch Supply Chain: Malicious Models Bypass Security
Executive Summary
In December 2025, severe vulnerabilities were revealed in Picklescan, an open-source security tool designed to scan Python pickle files for malicious code, particularly those used with PyTorch models. Attackers were able to exploit three critical flaws, bypassing Picklescan’s intended protections to execute arbitrary code during model loading processes. This effectively enabled the distribution of malicious machine learning models that could compromise developer and production environments. The risk was amplified due to Picklescan’s popularity in data science and AI workflows, potentially impacting organizations across multiple sectors relying on PyTorch. The incident is a stark reminder of the growing risk posed by supply-chain vulnerabilities in open-source AI and machine learning tooling, especially as the adoption of MLOps and automated model deployment platforms accelerates. Organizations now face increased regulatory scrutiny and operational risks tied to software supply chain security in the era of AI-driven applications.
Why This Matters Now
With the rapid growth of AI and machine learning in enterprise environments, supply-chain attacks targeting model management tools like Picklescan present a critical threat vector. The disclosure highlights urgent vulnerabilities in widely adopted open-source security tools used across data science pipelines, underlining the need for robust validation, zero trust policies, and continuous monitoring of all code and data artifacts.
Attack Path Analysis
An attacker inserted a malicious payload into a PyTorch model, which was then loaded by a victim through Picklescan, bypassing expected scan protections. After initial compromise, the attacker's code achieved process rights, potentially elevating privileges within the cloud environment. Lateral movement was possible as the code attempted network reconnaissance or pivoted to other cloud workloads. The attacker established command and control by utilizing outbound connections to remote infrastructure. Data exfiltration could occur over permitted egress channels, enabling theft of sensitive artifacts or credentials. Finally, impact was realized through persistent access, data tampering, or additional payload deployment.
Kill Chain Progression
Initial Compromise
Description
A malicious PyTorch model containing exploit code was delivered via the software supply chain and executed when loaded, bypassing Picklescan's protection.
Related CVEs
CVE-2025-1889
CVSS 9.8Picklescan fails to detect hidden pickle files embedded in PyTorch model archives due to reliance on file extensions, allowing attackers to embed malicious pickle files with non-standard extensions that remain undetected but are executed upon loading.
Affected Products:
mmaitre314 picklescan – < 0.0.22
Exploit Status:
proof of conceptCVE-2025-1944
CVSS 6.5Picklescan is vulnerable to a ZIP archive manipulation attack that causes it to crash when extracting and scanning PyTorch model archives, allowing malicious payloads to bypass detection.
Affected Products:
mmaitre314 picklescan – < 0.0.23
Exploit Status:
proof of conceptCVE-2025-1945
CVSS 9.8Picklescan fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified, leading to arbitrary code execution upon loading a compromised model.
Affected Products:
mmaitre314 picklescan – < 0.0.23
Exploit Status:
proof of conceptCVE-2025-10155
CVSS 9.3An Improper Input Validation vulnerability in picklescan allows remote attackers to bypass security checks by supplying a standard pickle file with a PyTorch-related file extension, leading to arbitrary code execution.
Affected Products:
mmaitre314 picklescan – <= 0.0.30
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Supply Chain
Command and Scripting Interpreter: Python
Phishing: Spearphishing Attachment
Indicator Removal on Host: File Deletion
User Execution: Malicious File
Stage Capabilities: Upload Malware
Subvert Trust Controls: Code Signing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Development Management
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Chapter II, Article 5
CISA ZTMM 2.0 – Application Security: Software Supply Chain Management
Control ID: 04.02.01
NIS2 Directive – Supply Chain Security in ICT Systems
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply-chain vulnerabilities in PyTorch ML models bypass Picklescan security, enabling arbitrary code execution in AI/ML development pipelines.
Information Technology/IT
Picklescan bypass flaws compromise ML model validation processes, allowing malicious code injection through trusted AI development and deployment workflows.
Financial Services
ML model security vulnerabilities threaten algorithmic trading systems and AI-powered fraud detection, requiring enhanced zero trust segmentation controls.
Health Care / Life Sciences
Compromised PyTorch models could infiltrate medical AI systems, violating HIPAA compliance and endangering patient data through supply-chain attacks.
Sources
- Picklescan Bugs Allow Malicious PyTorch Models to Evade Scans and Execute Codehttps://thehackernews.com/2025/12/picklescan-bugs-allow-malicious-pytorch.htmlVerified
- Exposing 4 Critical Vulnerabilities in Python Picklescanhttps://www.sonatype.com/blog/bypassing-picklescan-sonatype-discovers-four-vulnerabilitiesVerified
- PickleScan Bypass via File Extension Mismatch | XRAY-720936 - JFrog Security Researchhttps://research.jfrog.com/vulnerabilities/picklescan-cve-2025-10155/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress security, and inline threat detection would have constrained the attack by isolating workloads, enforcing least privilege, and blocking outbound communications or data theft at key points in the kill chain.
Control: Threat Detection & Anomaly Response
Mitigation: Detects suspicious model loading and anomaly in process behavior.
Control: Zero Trust Segmentation
Mitigation: Limits scope of escalation by enforcing strict identity-based segmentation.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral movement between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Interrupts unauthorized outbound connections to external C2 infrastructure.
Control: Cloud Firewall (ACF)
Mitigation: Prevents data exfiltration via enforced outbound policies.
Contains and autonomously disrupts ongoing malicious actions.
Impact at a Glance
Affected Business Functions
- Machine Learning Model Deployment
- Data Analysis
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive data processed by compromised machine learning models, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and microsegmentation across workloads to prevent lateral movement and limit blast radius.
- • Deploy inline anomaly detection and real-time threat monitoring to rapidly identify suspicious supply chain activity or code execution.
- • Strictly enforce egress filtering and FQDN/URL policies to restrict unauthorized outbound and exfiltration attempts.
- • Implement distributed Cloud Firewall and East-West traffic controls to block covert communication and unauthorized internal connectivity.
- • Continuously baseline workload behaviors and empower rapid response through automated cloud-native policy enforcement and visibility.
